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Preface 


The  Ninth  International  Conference  on  the  Mathematical  Foundations  of 
Programming  Semantics  was  held  on  the  campus  of  Tulane  University,  New  Orleans, 
Louisiana  from  April  7  to  10,  1993.  The  major  goal  of  this  conference  series  is  to 
bring  together  computer  scientists  who  work  in  programming  semantics  and 
mathematicians  who  work  in  areas  which  might  impact  programming  semantics  so 
that  they  may  share  ideas  and  discuss  problems  of  mutual  interest.  By  letting 
mathematicians  see  applications  of  their  work  to  programming  semantics  and  by 
letting  computer  scientists  see  their  ideas  and  intuitions  expressed  in  pure 
mathematics,  the  organizers  have  sought  to  improve  communication  among  the 
researchers  in  these  areas  and  to  establish  ties  between  related  areas  of  research. 
With  these  goals  in  mind,  the  invited  speakers  for  the  conference  were  Peter  Aczel 
(University  of  Manchester),  Pierre-Louis  Curien  (LIENS,  Paris),  Albert  Meyer 
(MIT),  Dale  Miller  (University  of  Pennsylvania),  Andrew  Pitts  (University  of 
Cambridge),  and  Gordon  Plotkin  (University  of  Edinburgh). 

In  addition,  there  were  contributed  talks  by  twenty-eight  researchers.  Some  of  the 
contributed  talks  were  presented  in  two  special  sessions.  The  Erst  of  these  special 
sessions  was  devoted  to  Real-Time  Concurrency  and  was  organized  by  G.M.  Reed 
and  A.W.  Roscoe  (Oxford).  The  second  was  on  Full  Abstraction  and  was  organized 
by  Stephen  Brookes  (CMU).  There  was  also  an  invited  address  by  S.  Tucker  Taft 
(Intermetrics)  on  the  Ada-9X  project. 

The  Conference  Chairpersons  were  Stephen  Brookes  and  Michael  Mislove.  The 
Program  Committee  Chairpersons  were  Michael  Main  and  Austin  Melton.  In 
addition  to  the  Conference  and  Program  Committee  Chairpersons,  the  Program 
Committee  consisted  of  Samson  Abramsky,  Bard  Bloom,  Matthew  Hennessy,  Gary 
Leavens,  John  Mitchell,  Philip  Mulry,  Frank  Oles,  Ana  Pasztor,  Amir  Pnueli,  G.M. 
Reed,  Edmund  Robinson,  A.W.  Roscoe,  Robert  Tennent,  Glynn  Winskel,  Steven 
Vickers,  and  Guo-Qiang  Zhang.  The  editors  wish  to  express  their  thanks  to  the  other 
members  of  the  Committee  for  their  efforts  in  reviewing  the  papers  submitted  for 
presentation  at  the  conference. 

The  conference  was  supported  by  funds  from  the  Office  of  Naval  Research;  we 
wish  to  thank  ONR  for  its  continuing  and  generous  support  of  the  conference  series. 

Thanks  are  due  to  the  many  people  who  helped  make  the  conference  run  so 
smoothly.  These  include  John  Maraist,  Magnus  Rothe  and  Han  Zhang.  We  all  owe  a 
special  thank  you  to  Geralyn  Caradona,  Administrative  Associate  of  the  Mathematics 
Department  of  Tulane  University,  who  managed  to  oversee  virtually  all  of  the  small 
details  of  running  the  conference  and  allow  the  rest  of  us  to  concentrate  on  the 
meeting  itself.  Also  we  owe  thanks  to  Kelly  McLean  of  the  Computer  Science 
Department  at  Michigan  Technological  University  for  her  efforts  in  collecting  and 
organizing  the  papers  for  this  proceedings. 

March  1994  Stephen  Brookes 

Michael  Main 
Austin  Melton 
Michael  Mislove 
David  Schmidt 
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Abstract 

We  describe  the  final  universe  approach  to  the  character¬ 
isation  of  semantic  universes  and  illustrate  it  by  giving  char¬ 
acterisations  of  the  universes  of  CCS  and  CSP  processes. 
Keywords:  Final  Universe.  Process,  C'oalgebra.  Labelled 

Transition  System,  CCS,  CSP. 


1  Introduction 

1.1  Process  Algebra 

In  the  last  decade  and  a  half  there  has  been  an  explosion  of  work 
aimed  at  the  development  of  a  mathematical  theory  of  concurrent 
processes.  One  major  strand  of  this  work  may  perhaps  be  put  under 
the  general  title  of  ‘process  agebrak  The  process  algebra  approach 
originated  from  the  seminal  ideas  of  Milner  and  Hoare.  They  have 
presented  developments  of  their  ideas  in  the  books  [5]  and  [6].  Other 
variants  of  process  algebra  have  appeared  in  book  form,  ([4], [3])  and 
there  have  been  hundreds  of  research  papers  on  the  topic. 

‘This  research  was  partially  supported  by  an  SERC  Senior  Research 
Fellowship. 
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The  aim  of  this  paper  is  to  describe  a  fairly  simple  approach 
to  the  characterisation  of  certain  kinds  of  mathematical  structure 
that  seem  to  be  fundamental  to  process  algebra.  I  will  illustrate  the 
approach  by  applying  it  to  the  two  versions  of  process  algebra  that 
appear  in  [5]  and  [6];  i.e.  CCS  and  CSP.  There  are  many  variants  of 
the  ideas  of  CCS  and  CSP  so  it  should  be  emphasised  that  it  is  the 
presentations  in  those  books  that  will  be  used,  although  I  shall  find 
it  convenient  to  use  my  own  notation  and  definitions  to  some  extent. 
These  two  versions  of  process  algebra  have  played  a  central  role  in 
the  subject  and  it  seemed  natural  to  apply  the  approach  to  these 
in  the  first  instance.  But  I  expect  that  the  approach  will  be  just 
as  applicable  to  variations  of  them  and  to  other  versions  of  process 
algebra. 

For  a  given  abstract  informal  notion  of  process,  the  idea  is  to 
specify  a  universe  of  abstract  processes,  make  that  universe  into  a 
mathematical  structure  and  characterise  that  structure  (up  to  iso¬ 
morphism).  Of  course  we  would  like  to  find  simple  mathematical 
structures  -  well,  as  simple  as  allowed  by  the  informal  notions.  And 
we  would  like  to  find  simple  characterisations  of  those  structures. 

1.2  The  Final  Universe  approach  to  Semantics 

There  is  a  standard  picture  associated  with  formal  semantics:- 


(  SYNTAX  y - meaning - oQ SEMANTICS) 


In  the  picture  a  syntactic  universe  is  linked  to  a  semantic  universe 
by  an  arrow  representing  meaning.  The  picture  may  be  viewed  set 
theoretically,  as  two  sets  linked  by  a  denotation  function,  or  more 
abstractly  as  simply  an  arrow  in  a  category,  the  two  universes  being 
represented  as  objects  in  the  category.  One  natural  development  of 
this  picture  is  the  familiar  initial  algebra,  compositional  approach  to 
syntax  and  semantics.  In  this  approach  the  forms  of  expression  of 


3 


the  syntax  determine  a  category  of  algebras,  with  homomorphisms 
between  them,  in  which  the  syntactic  universe  forms  an  initial  ob¬ 
ject;  i.e.  an  object  /  with  the  characterising  property  that  for  every 
object  A  in  the  category  there  is  a  unique  map  /  — ►  A  in  the  cat¬ 
egory.  Now  in  order  to  give  a  formal  semantics  to  the  syntax  it 
suffices  to  represent  the  semantics  as  a  semantic  universe  that  is  an 
algebra  in  the  category.  The  meaning  function  between  syntax  and 
semantics  is  then  the  uniquely  determined  homomorphism. 

This  initial  algebra  approach  is  syntax  led ;  i.e.  the  category  cho¬ 
sen  is  dictated  by  the  syntax.  There  is  an  alternative  dual  approach 
to  syntax  and  semantics  which  is  semantics  led.  Here  it  is  the  kind 
of  semantics  that  is  being  considered  that  determines  a  category  in 
which  the  semantic  universe  is  now  represented  as  a  final  object; 
i.e.  an  object  F,  with  the  characterising  property  that  for  every 
object  A  of  the  category  there  is  a  unique  map  A  — >  F.  In  order 
to  use  this  semantic  universe  for  a  particular  syntax  it  is  necessary 
to  represent  the  syntax  as  an  object  in  the  category  and  once  this 
has  been  done  the  meaning  map  between  syntax  and  semantics  is 
determined  as  the  unique  map  between  them. 

These  two  approaches  use  the  dual  category-theoretic  notions  of 
initial  object  and  final  object  in  a  category  and,  of  course,  charac¬ 
terise  objects  up  to  isomorphism.  It  is  worth  noting  that  the  char¬ 
acterisations  are  up  to  a  unique  isomorphism  so  that  they  give  the 
mathematically  most  stringent  kind  of  characterisation. 

In  discussing  the  final  universe  approach  it  will  be  useful  to  con¬ 
sider  the  two  component  notions  that  make  up  the  notion  of  a  final 
object.  An  object  F  in  a  category  is  weakly  final/strongly  exten- 
sional  if  for  every  object  A  there  is  at  least/most  one  map  A  — >  F . 
Clearly  an  object  is  final  if  and  only  if  it  is  both  weakly  final  and 
strongly  extensional. 

The  paper  [8]  is  a  useful  complement  to  the  present  paper.  It 
is  concerned  with  essentially  the  same  idea  of  final  semantics  as 
presented  here.  A  different,  but  possibly  related  topic  is  ‘final  algebra 
semantics’  in  the  theory  of  abstract  data  types.  See,  for  example  [7] 
and  the  references  cited  there.  Further  investigation  is  needed  to  see 
what  the  relationships  are,  if  any. 
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1.3  Outline 

The  rest  of  this  paper  is  organised  as  follows.  In  the  next  section  we 
review  the  general  mathematical  apparatus  for  final  coalgebras  that 
has  been  developed  in  [1]  and  [2].  There  is  one  new  result,  Theorem 
2.2  that  plays  a  useful  unifying  role  here.  This  theory  is  very  general, 
and  in  section  3  we  specialise  to  the  key  application  for  process 
algebra,  labelled  transition  systems.  This  specialised  theory  is  then 
applied  in  sections  4  and  5  to  CCS  and  CSP  and  the  paper  ends 
with  some  final  remarks  in  section  6.  The  central  notion  of  section  4 
is  that  of  a  t-LTS,  defined  in  definition  4.6.  A  final  t-LTS  is  used, 
in  section  4.4,  as  the  semantic  universe  for  CCS  that  corresponds 
to  the  weak  bisimulation  congruence  operational  semantics  of  CCS. 
In  section  4.5  it  is  shown  how  the  CCS  combinators  can  be  defined 
on  any  final  t-LTS.  This  work  shows  that  CCS  can  be  given  a  non- 
syntactic  axiomatic  treatment.  In  section  4.6  we  show  that  there  is 
a  denotational  semantics  for  CCS ,  assigning  a  denotation  in  a  final 
t-LTS  to  each  CCS  agent.  This  semantics  corresponds  exactly  to 
the  operational  weak  bisimulation  congruence  semantics. 

Several  of  the  results  in  this  paper  are  stated  without  proof.  It 
is  hoped  that  it  should  be  a  fairly  routine  matter  for  the  reader  to 
find  the  missing  proofs  for  themselves. 

2  Coalgebras  and  Classes 

2.1  Coalgebras 

We  shall  work  with  the  following  general  notion  that  is  dual  to  the 
more  familiar  notion  of  an  algebra  relative  to  an  endofunctor.  Given 
an  endofunctor  F  :  C  — *  C  on  a  category  C,  a  coalgebra  (for  F)  is 
a  pair  (A,  9)  such  that  9  :  A  — >  FA  is  a  map  in  the  category  C.  The 
coalgebras  themselves  form  a  category,  where  a  map  (.4, 9)  — >  (A' .  9') 
is  a  map  f  :  A  —>  A1  of  C  such  that  (Ff)9  =  9' /;  i.e.  the  obvious 
square  commutes. 
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2.2  Classes 

Our  examples  of  final  universes  of  processes  will  be  final  objects  in 
certain  full  subcategories  of  coalgebras  for  functors  on  the  category 
of  classes.  So  we  shall  want  to  work  with  classes.  This  could  be 
avoided  by  using  a  universe  of  sets  or  else  by  using  an  inaccessible 
cardinal  or  making  cardinality  restrictions.  But  for  us  the  most  nat¬ 
ural  approach  is  to  use  classes.  For  the  most  part  we  use  a  standard 
axiomatic  set  theory  approach  to  classes.  But  we  will  need  to  make 
use  of  the  following  principle:- 

Quotient  Existence  Principle  for  Classes:  If  A  is  a  class  and 
RCAxA  is  an  equivalence  relation  on  A  then  there  is  a  function 
[— defined  on  A  such  that  for  all  x,  y  6  A 

[x]r  =  [*/]/?  <=>  xRy. 

We  call  [— ]/}  a  quotient  of  A  with  respect  to  R  and  call  [A]«  = 
{[x]r  |  x  e  A}  a  quotient  class  of  A  with  respect  to  R.  The 
subscript  R  will  usually  be  omitted  when  there  is  no  confusion. 

This  principle  is  an  easy  consequence  of  a  global  form  of  the 
axiom  of  choice,  and  this  may  be  the  simplest  perspective  for  the 
reader  to  take.  In  fact  the  principle  has  really  little  to  do  with  the 
axiom  of  choice  and  an  alternative  approach  is  to  depart  from  the 
traditional  approach  to  classes  taken  in  axiomatic  set  theory  and  re¬ 
define  the  notion  of  class,  so  that  according  to  the  new  notion  a  class 
is  a  pair  of  old  classes,  the  second  being  an  equivalence  relation  on 
the  first.  Then  the  Quotient  Existence  Principle  becomes  a  triviality 
as  the  quotient  class  is  simply  obtained  by  changing  the  equivalence 
relation.  Although  not  traditional,  this  approach  would  seem  to  be 
rather  natural  from  the  category-theoretic  perspective. 

2.3  Standard  Functors 

Let  Class  be  the  category  of  classes.  This  is  a  superlarge  category. 
But  we  shall  not  worry  here  about  making  our  use  of  this  rigorous. 
From  previous  experience  (e.g.  see  [1])  there  is  no  serious  problem 
with  a  careful  handling  of  it.  If  A  is  a  subclass  of  B  then  the  identity 
map  from  A  to  B  will  be  called  an  inclusion  map  A  <— ►  B.  We 
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say  that  a  functor  F  :  Class  — >  Class  preserves  inclusion  maps 
if,  whenever  A  C  B  then  FA  C  FB  and  Fi  :  FA  <— ►  FB,  where 
i  :  A  <— ►  B.  We  also  say  that  F  is  set  continuous  if  for  all  classes 
4 

FA  =  |  a  £  powA }, 


where  powA  is  the  class  of  all  subsets  of  the  class  A.  If  F  both 
preserves  inclusion  maps  and  is  set  continuous  then  we  say  that  F 
is  standard.  Note  that  pow  can  be  made  into  a  standard  functor 
by  defining  pow  on  a  map  /  :  A  — »  B  to  be  pow f  :  powA  —*  powB, 
where 

powf(x)  =  {fy\y  £  .r} 


for  all  x  £  powA.  In  fact  most  naturally-defined  functors  on  the 
category  of  classes  turn  out  to  be  standard. 

A  key  result  about  the  category  of  coalgebras  for  a  standard 
functor  is: 


Theorem  2.1  (Final  Coalgebra  Theorem)  Every  standard  func¬ 
tor  on  the  category  of  classes  has  a  final  coalgebra. 

A  weaker  result  was  first  proved  in  [1],  where  it  was  assumed  that 
the  functor  preserved  weak  pullbacks.  A  slightly  stronger  result  was 
proved  in  [2],  where  it  was  only  assumed  that  the  functor  was  set- 
based,  a  better  assumption  from  the  category- theoretic  purists  point 
of  view,  but  not  much  weaker  than  the  assumption  that  the  functor 
is  standard. 

An  interesting  new  generalisation  of  the  above  theorem  will  be 
useful  in  this  paper.  Let  F  be  a  standard  functor  and  let  C  be  a 
full  subcategory  of  the  category  of  coalgebras  for  F.  We  say  that  C 
is  image-closed  if  whenever  A  — ♦  B  is  a  surjective  coalgebra  map, 
with  A  in  C,  then  B  is  also  in  C.  We  also  say  that  C  is  union- 
closed  if  whenever  A  is  a  coalgebra,  such  that  every  element  of  A  is 
in  some  subcoalgebra  of  A  that  is  in  C,  then  A  is  in  C. 

Theorem  2.2  Let  F  be  a  standard  functor  and  let  C  be  an  image- 
closed  and  union-closed,  full  subcategory  of  the  category  of  coalgebras 
for  F.  Then  C  has  a  final  object. 

Proof  Sketch:  By  the  final  coalgebra  theorem  F  has  a  final  coal¬ 
gebra  A.  Let  A!  be  the  union  of  the  subcoalgebras  of  A  that  are  in 


C.  As  C  is  union  closed  A'  is  in  C.  As  A!  is  a  subcoalgebra  of  the 
strongly  extensional  A,  A'  is  strongly  extensional.  To  show  that  A'  is 
also  a  weakly  final  object  of  C  let  B  be  in  C.  Then  there  is  a  unique 
coalgebra  map  B  — »  A.  This  has  a  factorisation  B  — ►  B'  <— ►  A, 
where  the  map  B  — ►  B'  is  surjective.  As  C  is  image-closed  B'  is  in 
C.  As  B'  is  a  subcoalgebra  of  A,  it  must  be  a  subcoalgebra  of  A'  so 
that  we  have  a  map  B  — »  B'  <— ►  A'. 

Note:  If  C,  is  a  full  subcategory  of  the  category  of  coalgebras 
for  F ,  for  i  €  /,  then  we  may  form  their  intersection  fj!e/  C,  as  a 
full  subcategory.  If  each  C,  is  image-closed  (union-closed)  then  so 
is  their  intersection.  This  observation  can  be  useful  in  applying  the 
above  theorem. 

The  following  further  weakening  of  the  notion  of  a  weakly  final 
coalgebra  will  be  useful.  It  was  used  in  [2]  when  proving  the  Final 
Coalgebra  Theorem.  Given  a  standard  functor  on  the  category  of 
classes,  a  coalgebra  (A,0)  is  small  if  A  is  a.  set.  A  coalgebra  (A,  6) 
is  weakly  complete  if,  for  every  small  coalgebra  (A',  O')  there  is 
at  least  one  coalgebra  map  (A', O')  — »  (A, 0).  We  have  the  following 
results  from  [2]:- 

Proposition  2.3  Every  weakly  complete  strongly  extensional  coal¬ 
gebra  is  final. 

Proposition  2.4  For  every  coalgebra  there  is  a  surjective  map  from 
it  onto  a  strongly  extensional  coalgebra. 

These  two  results  together  give  a  construction  of  a  final  object  as  a 
strongly  extensional  quotient  of  any  weakly  complete  coalgebra. 

3  Labelled  Transition  Systems 

We  assume  given  a  fixed  set  Act  of  atomic  actions.  We  define  a 
labelled  transition  system  (LTS)  (relative  to  Act)  to  be  a  coal¬ 
gebra  for  the  standard  functor  pow(Act  x  — ).  We  also  define  the 
notion  of  LT S'-map  in  the  obvious  way  by  specialising  the  terminol¬ 
ogy  for  coalgebras  to  this  particular  functor.  Let  A  =  (A,  9)  be  an 
LTS.  The  map  0  :  A  —*  pow(Act  x  A)  is  called  the  transition  map 
of  A.  If  a,b  G  A  we  write  a  A  6  in  A,  or  just  a  A  b  when  there  is 


no  ambiguity,  when  ( a,b )  G  0(a).  So  an  LTS  associates  with  each 
a  €  Act  the  transition  relation  A.  Note  that  the  transition  map  can 
be  recovered  from  these  transition  relations  by  defining 

0(a)  =  {(a,  b)  |  a  A  6} 

for  all  a  G  A. 

We  have  the  following  results  about  LTS s  that  carry  over  from 
the  results  about  coalgebras  in  general. 

Theorem  3.1  There  is  a  final  LTS. 

Theorem  3.2  Any  image-closed  and  union-closed,  full  subcategory 
of  the  category  of  LTS s  has  a  final  object. 

In  chapter  8  of  [1]  I  showed  that  any  final  LTS  gives  a  universe  for 
the  SCCS  processes,  up  to  the  strong  bisimulation  equivalence  that 
is  the  natural  one  to  consider  for  SCCS.  There  I  also  showed  how 
the  SCCS  combinators  could  be  defined  as  operations  on  any  final 
LTS.  It  is  equally  clear  that  the  same  final  LTS  is  also  ~  niverse 
for  the  CCS  processes,  again  up  to  strong  bisimulation  equivalence. 

3.1  Deterministic  Processes 

We  can  now  briefly  consider  the  simplest  and  most  familiar  notion 
of  process.  The  deterministic  processes  form  subuniverses  of  both 
the  universes  of  CCS  processes  and  of  CSP  processes.  The  universe 
of  deterministic  processes  has  a  natural  construction  as  an  LTS  of 
trace  sets.  We  see  below  that  the  universe  also  has  a  natural  char¬ 
acterisation  as  a  final  deterministic  LT S. 

Definition  3.3  y4n  LTS  A  =  ( A,0 )  is  deterministic  if,  for  all 

a  G  A  the  set  of  pairs  0(a)  C  Act  x  A  is  (the  graph  of)  a  function; 
i.e.  if  a  A  ax  and  a  A  a2  then  a i  =  a?. 

If  dC  is  the  full  subcategory  of  the  category  of  LT S s  consisting 
of  deterministic  LTS s  then  it  is  not  hard  to  see  that  dC  is  image- 
closed  and  union-closed  and  hence  has  a  final  object.  This  category 
dC  may  also  be  defined  as  the  category  of  all  the  coalgebras  for 
the  standard  functor  Map(Act,  —)  that  associates  with  each  class 
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X  the  class  Map(Act,  X)  of  all  partial  functions  /  :  Act  — >•  X;  i.e. 
functions,  each  defined  on  some  subset  of  Act ,  with  values  in  X. 

As  usual  we  let  Act*  be  the  set  of  strings  of  elements  of  Act.  A 
set  X  C  Act *  is  a  trace-set  if  it  is  non-empty  and  is  prefix  closed; 
i.e.  if  act  €  X,  where  a  €  Act*  and  a  €  Act  then  a  €  X.  Let  TR 
be  the  set  of  trace-sets.  We  can  make  this  into  a  deterministic  LT S 
(TR,0tr),  called  the  trace-set-LT’S',  by  defining 

Otr(X)  =  {  (a,  {a  6  Act*  |  aa  €  A'})  |  a  €  X  fl  Act }, 

for  each  X  €  T  R.  Now  given  any  LTS  A  =  {A.  6)  we  can  define  a 
function  tr  :  A  — ►  T R  by: 

tr(a)  =  {a  €  Act*  j  a  A  a'  for  some  a'}, 

for  all  a  £  A,  where,  if  a  =  oi  •  •  •  a„  €  Act *  then 

a  —*  a  <=>  a  — *  a,i  ■  ■  •  an-i  —>  «  tor  some  a\. . . .  ,«n-i- 

Theorem  3.4  If  A  is  a  deterministic  LTS  then  tr  :  A  — ►  (  TR,0tr ) 
is  the  unique  LTS  map  into  the  trace-set  LTS.  Hence  the  trace-set 
LTS  is  a  final  object  of  dC. 

3.2  Bisimulation  on  an  LTS 

The  notion  of  a  bisimulation  relation  on  an  LTS  is  fundamental. 
Here  we  give  a  definition  that  exploits  the  brevity  of  relation  algebra. 
If  TZU^2  are  relations  then  their  relational  composition  1Z\1Z2  is 
defined  to  be  the  relation  7 Z  where 

aRb  aR^cRib  for  some  c. 

Also  the  inverse  Tl~l  of  a  relation  R  is  given  by 

aR~xb  •4=^*  bRa. 

Now  if  R  is  a  relation  on  A ,  where  A  =  {A,0)  is  an  LTS ,  then  , 
for  each  a  €  Act ,  we  can  form  the  relational  compositions  R  A  and 
A  R  and,  for  a  €  A,  let 

n0(a)  =  {(ct,  x)  |  aR  A  .r} 

and 

0n(a)  =  {(a,#)  |  a  A  7£.r}. 
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Definition  3.5  K  is  a  simulation  on  A  ifn9{a)  C  9n{a)  for  all 
a  €  A,  and  a  bisimulation  on  A  if  both  V,  and  are  simulations 
on  A. 

Proposition  3.6  Let  ~  be  an  equivalence  relation  on  A.  Then  ~ 
is  a  bisimulation  on  A  iff 

ax  ~  a2  ==>  =  0~{a2). 

If  ~  is  a  bisimulation  on  A  and  [— ]  :  A  — ►  [A]  is  a  quotient  of  A 
with  respect  to  ~  then  there  is  a  unique  map 

[0]  :  [A]  — >  pow(  Act  x  [A] ) 

such  that  [— ]  is  an  LTS  map  [— ]  :  A  — ►  [.A],  where  [A]  is  the  LTS 

Theorem  3.7  For  any  LTS  A  there  is  a  maximal  bismulation, 
on  A.  Moreover  is  an  equivalence  relation  on  A  and  is  the  max¬ 
imal  relation  ~  on  A  such  that  for  all  fli,a2  €  A 

«i  ~  <22  &~(oi )  = 

A  quotient  [— ]  :  A  — *  [A]  of  an  LT S  A  with  respect  to  its  maximal 
bisimulation  will  be  called  a  collapse  of  A. 

Lemma  3.8  An  LTS  is  strongly  extensional  iff  its  maximal  bisim¬ 
ulation  is  the  equality  relation  on  the  LTS. 

Theorem  3.9  Any  collapse  of  an  LTS  is  strongly  extensional ,  so 
that  a  collapse  of  any  weakly  complete  LTS  is  a  final  LTS. 

3.3  Coloured  LTSs 

There  is  a  simple  variation  on  the  notion  of  an  LT S  that  allows  each 
process  to  have  a  colour  so  as  to  get  a  more  intensional  notion  of 
process.  This  will  be  a  useful  tool  in  dealing  with  CSP.  Suppose 
that  we  are  given  a  set  Col  of  colours. 

Definition  3.10  A  coloured  labelled  transition  system  ( CLTS ), 
( relative  to  Act  and  Col)  is  a  coalgebra  for  the  functor 
pow(Act  x  — )  x  Col  on  the  category  of  classes. 
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If  A  =  (A,  <f>)  is  a  CLT  S  then  we  can  define  maps  9  :  A  — ►  pow(Act  x 
A)  and  col :  A  — *■  Col  so  that  for  a  €  A 

<t>(a)  =  (0(a),col(a)). 

j  So  we  get  the  underlying  LTS  (A,  9)  of  the  CLTS  and  a  map  that 

|  associates  with  each  element  a  of  A  its  colour  col(a).  We  can  carry 

L  over  notation  and  terminology  from  LTS s  to  CLTS s.  In  particular 

|  we  call  a  CLTS  deterministic  if  its  underlying  LTS  is  determin- 

|  istic. 

f 

i 

■  4  CCS  Processes 

f  4.1  Review  of  CCS 

■  Here  we  want  to  summarise  the  syntax  and  operational  semantics  of 

CCS ,  as  it  is  presented  in  the  book  [6]. 

4.1.1  Syntax  of  CCS 

We  assume  given  a  set  A  of  names,  with  an  associated  disjoint  set 
A  of  conames,  one  coname,  a  for  each  name  a.  Each  name  a  forms 
<  a  complementary  pair  with  its  coname  a.  Names  and  conames  in 

•'  general  will  be  called  labels  and,  for  any  label  /  we  will  write  /  for 

its_  complement.  So  if  /  =  a  then  l  =  a  and  in  general,  for  any  label 
/,/  =  /.  Any  set  L  of  labels  will  also  be  called  a  sort,  and  for  any 
sort  L  we  let  L  =  {/  |  /  €  L}  and  L*  =  L  U  L. 

We  will  need  a  special  silent  action  r.  The  labels,  with  the  silent 
action  form  the  set  Act  of  atomic  actions.  So  Act  =  A*  U  {r}. 
We  call  /  :  Act  —*  Act  a  relabelling  map  if  /(r)  =  r  and,  for  each 
label  /,  /(/)  is  a  label  and  /(/)  =  /(/). 

We  first  define  the  class  Ek  of  agents  (agent  expressions)  of 
CCS ,  relative  to  a  class  K  of  agent  constants.  Given  the  class  K, 
with  typical  element  c,  we  specify  the  class  Ek  ,  with  typical  element 
e,  in  the  following  BNF  style:- 

e  ::=  c  |  or.e  |  £  e<  I  ei  le2  I  e\L  |  e[/] 
i€l 
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Here  I  can  be  any  set  and  is  an  agent  for  each  i  €  I.  Also  L 
is  a  sort  and  /  is  a  relabelling  map.  In  order  to  give  the  CCS 

operational  semantics  to  this  language  of  agents  it  is  necessary  to 

def 

have  an  assignment  of  a  defining  equation  c  —  ec  to  each  agent 
constant  c.  This  can  be  specified  by  a  function  k  :  I\  — ►  E k,  which 
associates  with  each  constant  c  the  agent  ec  =  «(c)  that  appears  on 
the  right  hand  side  of  the  defining  equation.  We  will  call  the  pair 
K.  =  ( K ,  k )  a  system  of  constants  for  CCS. 

As  envisioned  in  the  book  [6],  constants  with  their  defining  equa¬ 
tions  can  be  introduced  as  needed.  We  can  capture  this  idea  of  an 
open  language  with  an  expanding  system  of  constants  by  using  a 
fixed  system  of  constants  that  is  universal  in  the  following  sense. 

Definition  4.1  A  system  of  constants  K  —  (A,  a)  for  CCS  is  uni¬ 
versal  if  for  every  small  LTS  (/,  *•’)  there  is  k  :  I  —>  K  such  that 
for  all  i  €  I 

K(iri)  =  a-xj- 

.  **  . 

‘—J 

The  following  fact  is  easy  to  prove. 

Proposition  4.2  There  is  a  universal  system  of  constants  for  CCS. 

4.1.2  Operational  Semantics  of  CCS 

The  operational  semantics  of  CCS  is  given  by  the  following  clauses  of 
an  inductive  definition  that  is  used  to  generate  the  labelled  transition 
relation  that  has  a  transition  relation  A  for  each  o  €  Act. 
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The  above  operational  semantics  can  be  reformulated  as  a  recursive 
definition  of  the  function  0  :  Ek  — >  pow(Act  x  Ek),  where 

0(e)  =  {(a,e')|eAe'} 

for  all  e  €  Ek -  It  is  the  ‘least’  function  satisfying  the  following 
equations 


0(c) 

=  tf(Cc), 

O(a.e) 

=  {(«,e)}, 

0(YlieI  e«) 

= 

0(e i|e2) 

=  Q(e1,e2,0(e1),0(e2)) 

0(e\L) 

=  {(a,e'\£)  1  («,«')  €  0(e)  &  a  £  Z*} 

0(e[f)) 

=  {(/(o).e'[/])l(o,e')€»(e)} 

In  the  equation  for  0(e i|e2)  we  have  used  an  operation  Q ,  where  for 
ei,e2  €  Ek  and  sets  Xx , X2  C  Act  x  Ek  the  set  Q(e i,e2,Xi,X2)  = 

{(a,ei|e2)  |  (a,e\)  €  Xx}  U  {{a,ex\e'2)  |  (a,e'2)  €  X2} 

U  {(t,  |  (/,  e'j)  G  A'i  &  (f,  e'2)  €  A'2  for  some  label  /} 


The  sense  of  ‘least’  intended  here  is  such  that,  for  any  other  function 
O'  satisfying  the  equations,  6(e)  C  Q'(e)  for  all  e  €  Ek-  Note  that 
these  equations  can  also  be  viewed  as  a  compositional  definition  by 
structural  recursion  on  the  ‘syntax1  of  Ek,  combined  with  a  least 
fixed  point  definition  of  a  function  on  the  set  K  of  constants.  More 
specifically,  if  ip  :  I\  — >  pow(Act  x  Ek)  then  we  can  define,  by 
structural  recursion  a  function  6 $  using  the  equations  above  for  6 , 
except  that  the  first  equation  should  be  replaced  by 

6(c)  =  t /’(c). 

Now  let  6  be  6 where  ip  is  the  ‘least’  function  such  that  j/’(c)  =  0„-.(c) 
for  all  constants  c  (E  K. 

Finally  we  can  give  the  CCS  construction  of  a  final  LTS. 

Proposition  4.3  If  1C  =  (/if,  k)  is  a  universal  system  of  constants 
for  CCS  then  Ek.  =  (Ek,6)  is  a  weakly  complete  LTS.  so  that  any 
collapse  of  it  is  a  final  LTS. 

4.2  Weak  Bisimulation 

We  have  seen  how  the  syntax  and  operational  semantics  of  CCS 
gives  rise  to  an  LTS  Ek  =  (Ek,  6),  relative  to  a  system  of  constants 
1C.  The  maximal  bisimulation  relation  on  this  LTS  has  been  called 
strong  bisimulation  equivalence.  It  is  a  congruence  with  respect 
to  the  combinators  of  CCS ,  so  that  these  combinators  induce  oper¬ 
ations  on  any  collapse  of  this  LT S. 

But  this  LTS  does  not  incorporate  any  special  treatment  of  the 
distinguished  action  r  to  reflect  the  intended  intuition  that  r  should 
not  be  externally  observable.  To  capture  this  [6]  introduces  relations 

=£•  on  Ek  and  uses  them,  instead  of  the  relations  A,  to  get  a  max¬ 
imal  bisimulation  relation  «,  called  weak  bisimulation  equiva¬ 
lence.  As  this  equivalence  relation  turns  out  not  to  be  a  congruence 
it  is  used  to  define  the  main  equivalence  relation  ~c,  called  weak 
bisimulation  congruence  because  it  is  indeed  a  congruence  with 
respect  to  all  the  CCS  combinators.  So  it  is  possible  to  take  any 
quotient  class  [/£*-]  of  Ek  with  respect  to  the  congruence  and 
have  the  combinators  induce  operations  on  [Ek\-  One  of  the  main 
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aims  of  this  paper  has  been  to  characterise  an  underlying  LTS  for 
this  structure  that  determines  these  operations. 

The  definitions  of  «  and  «c  will  make  sense  for  any  LTS,  A, 
provided  we  assume  a  distinguished  atomic  action  r  £  Act.  As  the 
latter  relation  is  no  longer  sensibly  called  a  congruence  in  general,  we 
shall  call  it  the  r-bisimulation  equivalence  on  A  and  write  it  «T. 
We  first  let  =>  be  the  reflexive  transitive  closure  (A)*  of  -A  and  then, 
for  each  a  €  Act  we  can  define  =5>  to  be  the  relational  composition 
Also,  for  each  a  £  Act ,  the  relation  =£>  is  defined  to  be 
the  relation  =>,  except  that  when  a  =  r  it  is  =>,  so  that  =»  is  the 
reflexive  closure  of  =>•. 

Definition  4.4  Fori  =  0,1,2,  we  define  the  LTS  A,  =  (.4,0,), 
where  the  map  6{  :  A  — >  pow(Ad  x  4)  is  given  by: 

0o (a)  =  {(0,0')  |  a  «'}, 

61(a)  =  {(«,«')£  0O(«)  |  ei'  4-  «'}, 

62(a)  =  60(a)  U  {(r,«)}. 

Note  that  0o  and  02  are  the  transition  maps  whose  transition  relations 
are  and  ^  for  o  £  4ct. 

Definition  4.5  Given  an  LTS  A  the  relation  %  of  weak  bisimu¬ 
lation  equivalence  on  A  is  the  maximal  bismulation  on  the  LTS 
A2  and  the  relation  «T  of  r-bisimulation  equivalence  on  A  is 
given  by 

a\  ~t  a2  <=t>  (0o)*(«i)  =  (0o)“(«2)- 

When  A  is  £%,  for  some  CCS  system  of  constants  K .  then  %  j  IS  the 
relation  ~c  of  weak  bisimulation  congrue  nce. 

In  [6]  weak  bisimulation  congruence  is  the  fundamental  equiva¬ 
lence  relation  for  CCS.  So  it  will  be  our  main  concern.  In  propo¬ 
sition  4.14  we  will  give  a  reformulation  of  the  definition  of  j  ^  on 
certain  LTS s  A ,  as  a  maximal  bisimulation  on  an  associated  LTS 

Ar. 


16 


Definition  4.6  Let  A  be  an  LT S.  It  is  a  t-LT S  if 

1.  If  a  A  A  b  or  a  A  A  b  then  a  A  b, 

2.  If  a'  A  a  then  a  A  a. 

A  is  r-transitive  if  1  holds  and  weakly  r-reflexive  if  2  holds.  If 
the  following  strengthening  of  2  holds  then  A  is  r-reflexive. 

•  a  A  a  for  all  a  £  A. 

Note  that,  for  any  LTS  A ,  «40,  Ai  ancl  *42  are  all  r-transitive  and 
that  Ai  and  A2  are  r-LTSs,  with  «42  also  r-reflexive.  The  following 
result  will  be  useful. 

Lemma  4.7  Let  it  :  B  — >  A  be  an  LTS  map.  Then,  for  /  =  0,1,2, 
7T  is  also  an  LTS  map  tt  :  B,  — >  A ,.  provided  that  when  i  =  1  the 
LTS  JB  is  weakly  r-reflexive. 

4.3  Three  full  subcategories  of  LTSs 

It  will  be  useful  to  focus  on  the  full  subcategories  C0,Ci,C2  of  the 
category  of  LTS s.  An  LTS  is  in  Co  if  it  is  r-transitive.  If  it  is  also 
r-reflexive  (weakly  r-reflexive)  then  it  is  in  C2  (Cj).  Thus  Cj  is  the 
full  subcategory  of  t-LTSs.  These  subcategories  are  easily  observed 
to  be  image-closed  and  union-closed,  so  that  we  can  apply  theorem 
3.2  to  get  the  following  result. 

Theorem  4.8  For  i  =  0, 1,2  there  is  a  final  object  of  C ;. 
Proposition  4.9  Let  A  be  any  LTS.  For  i  =  0, 1,2, 

A  is  in  C ,  <*=>  Ai  —  A. 

Theorem  4.10  If  A  is  a  weakly  complete  LTS  then ,  for  i  =  0, 1,2, 
Ai  is  a  weakly  complete  object  of  C,  so  that  any  collapse  of  Ai  is  a 
final  object  of  C, . 
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4.4  LTS s  with  a  r-prefix  operation 

Definition  4.11  A  r- prefix  operation  on  an  LTS  A  =  (4,0)  is 
an  assignment  of  an  element  aT  £  A  to  each  a  £  A,  such  that 

0(aT)  =  0(a)U{(r,a)}. 

Note  that  Sk.  always  has  the  r-prefix  operation  given  by  aT  =  r.a. 
The  following  result  is  a  familiar  fact  about  weak  bisimulation  on 
and  will  be  useful  below. 

Lemma  4.12  Let  A  =  (4,0)  be  an  LTS  with  a  r-prefix  operation. 
Then  a  «  aT  for  all  a  £  A. 

Proof:  It  suffices  to  show  that  H  =  {(«.  b)  £  A  x  4  |  aT  =  b  or  a  = 
b}  is  a  weak  bisimulation  relation  on  A.  For  that  it  suffices  to  show 
that 

(a)  ar  x  implies  a  =£•  Tlx, 

(b)  a  x  implies  aT  7 Zx. 

For  (a),  let  aT  x.  Then  either  aT  =)>  x  or  else  a  =  r  and  aT  =  x. 
In  the  first  case  a^iso  that  a  4-  xlZx.  In  the  second  case  a  =  r 
so  that  a  =)>  aTZaT  =  x.  In  either  case  a  IZx. 

For  (b),  if  a  x  then  aT  =$■  xl Zx. 

Definition  4.13  Let  A  =  (4,0)  be  an  LTS  with  a  r -prefix  oper¬ 
ation.  Then  we  define  the  LTS  AT  =  (4.0r),  where  0T  is  given 
by 

0T(a)=  {(a,bT)\a^b) 

for  a  £  A. 

Proposition  4.14  The  maximal  bisimulation  on  AT  is  the  same  as 
the  t -bisimulation  equivalence  relation  ~r  on  A. 

Proof:  We  need  to  prove  the  following  two  results: 


n 


1  •  is  a  bisimulation  on  A 
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2.  If  <5  is  a  bisimulation  on  Ar  then 

aiSa i  =£■  ax  «2. 

1.  As  is  symmetric  it  suffices  to  show  that 

a  x  implies  that  there  is  z  such  that  a  ^  z  and  zT  «T  xT . 

By  the  claim  below  it  suffices  to  show  that  if  a  x  then 

a  x.  So  let  a  «T  b  and  b  r.  Then  0q((i)  =  0“(6)  and, 

as  b  x  :=»  x  so  that  (o,.r)  E  0q '(b),  we  get  that  (o,  .r)  E  0o(a) 
so  that  a  x. 

Claim:  ax  •=«  a2  a[  aj. 

To  prove  this  claim  first  observe  that,  for  all  a.b  E  .4. 

aT  h  a  =>  6, 

so  that  for  any  a  £  A 

«?(«T)  =  {(asx)  I  •*'}  =  {(a,x)  |  «  •!'}  =  02  (a)- 

Now,  as  «  is  the  maximal  bisimulation  on  A2- 
a«6  0*{a)  =  0?(b) 

<=>  0?(«r)  =  Wr) 

<=>  «r  J5Sr  br . 

2.  Let  S  be  a  bisimulation  on  AT .  We  will  successively  prove  the 

following  assertions,  ending  with  the  desired  one.  Note  that 
<S_1  is  also  a  bisimulation  on  AT  so  that  whatever  we  prove 
about  S  will  also  be  true  of  S~l. 

(i)  xSy  =1-  2  implies  x  S  ^  z, 

(ii)  xSy  z  implies  x  <S  % 

(iii)  ax  w  S  &  a2  implies  «x  «  n2, 

(iv)  a\$a2  implies  ax  «  a2, 

(v)  xSy  4>  z  implies  x  z, 

(vi)  a\Sa2  implies  9* (a2)  C  0* (ax), 

(vii)  ax«Sa2  implies  ax  wT  a2. 
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Proofs: 


(i)  Let  xS  =r>  z.  As  S  is  a  bisimulation  on  AT,  x  =>  u  and 

uTSzT  for  some  u.  By  the  lemma  u  m  uT  and  zT  ss  2  so 
that  x  S  «  2. 

(ii)  If  xS  2  then  either  2'»S  z,  in  which  case  we  may 

use  (i)  and  the  fact  that  is  a  subrelation  of  =f,  or  else 
a  =  t  and  xSz,  in  which  case  x  x  w  xSz  «  2. 

(iii)  By  (ii)  for  <S  and  also  for  S~l  it  easily  follows  that  ss  S  « 
is  a  weak  bisimulation  on  A.  But  ~  is  the  maximal  weak 
bisimulation  on  A. 

(iv)  This  is  an  immediate  consequence  of  (iii)  because  S  is  a 
subrelation  of  «  S 

(v)  This  follows  from  (i)  and  (iv). 

(vi)  If  ai<Sa2  and  ( a,x )  €  0q(«2)  then  axS  x  so  that,  by 
(v),  ( a,x )  €  0~{ax). 

(vii)  By  (vi)  for  both  S  and  <S_1  if  a\S«2  then  0^  (n2)  =  ®o{a\)\ 
i.e.  ai  «T  02- 

Note  that  when  A  —  £%  we  get.  a  maximal  bisimulation  charac¬ 
terisation  of  weak  bisimulation  congruence  and  our  interest  is  to  give 
a  characterisation  of  a  collapse  of  AT,  when  K  is  a  universal  system 
of  constants.  We  will  give  a  characterisation  as  a  final  t-LTS. 

Lemma  4.15  Let  [— ]  :  AT  — >  [Ar]  be  a  collapse  of  AT,  where  A  is 
an  LTS  with  a  r -prefix  operation.  Let  k  :  B  — >  A  be  an  LTS  map, 
where  B  is  a  t-LTS .  Then  it'  :  B  — >  [ Ar ]  is  also  an  LTS  map.  where 
for  b  (E  B, 

Tr'(b)  =  [  7r  ( A )  ] . 

Theorem  4.16  If  A  is  a  weakly  complete  LTS .  with  a  r -prefix  op¬ 
eration,  then  any  collapse  of  Ar  is  a  final  t-LTS. 


4.5  Defining  the  CCS  combinators  on  a  final  r- 
LTS 

We  assume  given  a  final  t-LTS,  V  =  (P,  0).  Our  purpose  is  to  show 
how  to  define  the  combinators  of  CCS  as  operations  on  V. 

Definition  4.17  We  will  call  a  subset  Y  of  Act  x  P  a  r-subset  if 

1.  (a,q)  G  Y  and  q  -L*  r  =»  (cqr)  €  Y, 

2.  iTi<l)  €  Y  and  q  A  r  =i>  (a,  r)  G  V, 

3-  (<*,$)€  Y  =¥  q  A 

Note  that  0(p)  is  always  a  r-subset  for  any  p  G  P. 

Proposition  4.18  //  F  25  a  r-subset  then  there  is  a  unique  p  €  P 
suc/i  that  0(p)  =  F. 

Proof:  Choose  an  object  *  £  P  and  let  P*  =  PU  {*}.  Extend  0  to 
0*  :  P*  ->  pow(Act  x  P*)  by  letting  0*(*)  =  F.  Then  P*  =  (P*,6»*) 

is  easily  seen  to  be  a  t-LT S.  Let  w  :  V“  — ►  V  be  the  unique  LT S 

map.  This  exists  because  V  is  a  final  t-LTS.  Then  the  restriction 
of  7r  to  V  is  still  an  LTS  map  V  — *  V.  But  the  identity  map  on  P 
is  the  unique  LTS  map  V  — >  V.  So  w(q)  =  q  for  all  q  G  P. 

Now  let  p  =  7r(*).  As  tt  is  an  LTS  map 

0(p)  =0(tt(*)) 

=  {(«,*■(</))  I  {a,q)  €  #*(*)} 

=  {(«.<?)  I  (<M)  €  V'} 

=  y. 

The  uniqueness  of  this  p  follows  from  the  uniqueness  of  7i\ 

□ 

Definition  4.19  (Summation)  Given  a  family  of  elements  pi  G 
P,  for  i  G  I,  where  I  is  a  set,  each  9(pi)  is  a  r-subset  and  therefore 
so  is  the  union  U ieiO(Pi)-  We  define  2Z,e/P,  to  be  the  unique  p  G  P 
such  that 

9{p)  = 

ei 
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We  define  the  r-prefix  operation  on  V  using  the  next  lemma. 
Lemma  4.20  //  p  G  P  then  there  is  a  unique  p'  G  P  such  that 

9{p')  =  9{p)U  {(t,p')}. 

Proof:  Let  p  G  P.  Define  V*  —  {P*,9*)  as  in  the  proof  of  the 

previous  lemma,  except  that  we  now  let  9*(*)  =  9(p)  U  {(r,  *)}. 
Observe  that  V *  is  a  t-LTS,  so  that  there  is  a  unique  LTS  map 
7T  :  V*  — >  V.  As  before  ir (q)  =  q  for  q  G  P.  Now  let  p'  =  7r(*).  Then 

9{p')  =  {(or,  |  (0,9)  G  #*(*)} 

=  {(«, 9)  I  (ot,q)  €  9{p)}  U  {(r,p')} 

=  9{p)\J  {(r,p')}. 

As  ir  is  the  unique  LTS  map  V”  — >  V  it  is  easy  to  see  that  p'  must 
be  the  unique  element  of  P  such  that 

9(p')  =  0(p)U{(T,p')}. 


□ 

Definition  4.21  Given  p  G  P  ice  let  r.p  be  the  unique  p'  given  by 
the  lemma.  If  l  is  a  label  then  Y  —  {(l,q)  \  (r,q)  G  9(r.q)}  is  a 
T-subset  so  that  there  is  a  unique  r  G  P  such  that  9(r)  =  Y .  We  let 
l.p  be  this  unique  r.  So  we  have  defined  a.p  for  any  a  G  Act  and 
any  p  G  P. 

In  order  to  define  the  CCS  parallel  composition  on  V  we  first  need 
to  define  a  labelled  transition  relation  on  P  x  P.  The  relations  A 
on  P  x  P  are  given  by:- 
If  /  is  a  label  then  let 

(p,9)  (pW)  <=>  either  {p  4  p'  &  q  =  q')  or  (p  =  p'  k  q  q'). 
Also  let 

(P>  9)  {p',  ?')  <=>  either  p  4  p' t  q  -h  q' 

or  (p  —>■  p'  &  q  =  q')  or  (p  =  p'  fc  q  A  q'). 

Having  defined  the  A  relations  on  P  x  P  we  go  on  to  define  the 
relation  =£•,  as  usual,  to  be  the  relational  composition  (A)*  A  (A)* 
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for  each  a  €  Act  and  so  can  make  P  x  P  into  an  LTS  V  =  (P,0') 
where,  for  (p,  q)  £  P  x  P, 

=  {K(p',9'))  I  (P.9)  ^  (pW)}- 

Lemma  4.22  V*  is  a  t-LTS. 

Definition  4.23  (Composition)  The  composition  operation,  — |—  : 
P  x  P  —*  P  of  CCS,  is  defined  to  be  the  unique  LTS  map  V  — >  V . 

Definition  4.24  (Restriction)  If  L  is  a  sort  let  Vl  =  (P,@l)  be 
the  LTS  where,  for  p  £  P, 

Ol(p)  =  {(a,q)  £  0(p)  I  o  £  Z#}. 

Then  Vl  is  a  t-LTS.  We  let  —\L  :  P  — >  P  be  the  unique  LTS  map 

VL  ->  P. 

Definition  4.25  (Relabelling)  If  f  is  a  relabelling  map  let  Vj  = 

( P ,  Of)  where,  for  p  £  P, 

°f{p)  =  {(/(«)<?)  !  (<M)  €  0(p)}. 

Then  Vj  is  a  t-LTS.  We  let  — [/]  :  P  —>  P  be  the  unique  LTS  map 
Vf->V. 

4.6  A  Denotational  Semantics  for  CCS 

We  have  seen  how  to  define  operations  on  a  final  t-LTS  V,  corre¬ 
sponding  to  the  combinators  of  CCS.  These  can  be  used  to  give 
a  denotational  semantics  for  Ek",  i.e  we  can  associate  a  denotation 
[[e]]  €  P  tc  each  e  £  Ek ■  To  take  care  of  the  possibly  recursive 
definitions  of  the  constants  we  first  define  |— :  Ek  — >  P ■  given 
<f>:I<->P. 

Definition  4.26  Given  <f>  :  K  — *  P  let  |— :  Ek  —»  P  be  defined 
by  structural  recursion  on  the  way  agents  in  Ek  are  built  up  using 
the  equations:- 
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Icl* 

=  4>(c) 

=  o-H* 

Et'6/  C«1  <t> 

=  Hi  ei 

[eiM* 

=  1  Ie2j 

I  e\Ll 

=  MM 

H/1U 

=  maa 

Now  we  can  define  fe|  =  [e]^  where  <f> 0  is  the  ‘least’  map  <f> :  I\  — ►  P 
such  that  (j>(c )  =  |ecJ^  for  all  constants  c  £  K .  More  precisely  we 
have  the  following  result  and  definition. 

Theorem  4.27  There  is  a  unique  map  Oq  :  A'  — >  P  such  that 

1.  <f>o{c)  =  [ec|^o  for  all  constants  c  €  I\. 

2.  If  —  [ec|^  for  all  constants  c  €  K  then 

6(<f>0(c))  C  6(<f>(c))  for  all  constants  c  £  K . 

Definition  4.28  Let  [— |  be  J— where  <f>0  is  given  by  the  theorem. 

Finally  we  spell  out  how  this  denotational  semantics  for  CCS  is 
related  to  the  familiar  operational  semantics. 

Theorem  4.29  [[— J  is  the  (necessarily  unique)  LTS-map 
(ftc)r  V .  More  explicitly  we  get  1  and  therefore  2  below. 

1.  For  all  e  €  E/c 


0(IeJ)  =  {(<*,#(  Ir.e'l)  I  e  e'}, 

2.  For  all  ei,e2  €  £/c 


ei  «c  e2  <=»  [e,]  =  [e2]. 
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5  CSP  Processes 

5.1  The  notion  of  a  CSP- system 

We  will  give  a  characterisation  of  the  CSP  notion  of  process  in  terms 
of  CSP-sy  stems.  In  [5]  event  names  play  roughly  the  same  role  for 
CSP  that  atomic  actions  play  in  CCS.  We  shall  assume  given  a 
fixed  set  J\f  of  event  names.  Earlier  we  formulated  a  coloured 
version  of  the  notion  of  an  LTS.  We  now  specialise  to  the  colours 
needed  for  the  version  of  CSP  presented  in  [5].  A  feature  of  CSP  is 
that  processes  can  have  varying  alphabets,  the  alphabet  of  a  process 
being  t  he  set  of  the  event  names  that  ever  make  sense  for  the  process. 
This  will  be  one  aspect  of  CSP  colouring.  Another  aspect  will  be 
the  association  of  a  refusals  set  to  each  process.  Given  an  alphabet 
£  C  jV,  if  L  C  £  then  a  set  R  C  pow[C)  is  a  refusals  set  for  L. 
relative  to  the  alphabet  £,  if  R  is  non-empty  and 

ft  =  {X  c  £  I  fm(LDX)  C  ft}, 

where,  for  any  set  Y,  fin(Y)  is  the  set  of  all  finite  subsets  of  Y.  We 
define  the  set  Col  of  colours  for  CSP  to  be  the  set  of  those  triples 
(£,  L,  ft)  such  that  L  C  £  C  Af  and  ft  is  a  refusals  set  for  L  relative 
to  £.  Now  if  A  =  ( A,  4 >)  is  a  CLTS ,  with  this  set  of  colours,  the 
map  col  :  A  — >  Col  determines  maps  alph.dom  :  A  — ►  powAI  and 
ref  us  :  A  — >  pow(pow(Af ))  so  that  for  a  £  A 

col(a)  =  ( alph(a),dom(a).refus(a )). 

Here  alph(a)  is  the  alphabet  of  a.  dom{a)  is  the  domain  of  a  and 
refus(a)  is  the  refusals  set  of  a. 

Definition  5.1  A  CSP- system  is  a  deterministic  CLTS.  using 
the  sets  Af  of  atomic  actions  and  Col  of  colours  as  above,  such  that 
if  a  A  a'  then  a  £  dom(a)  and  alph(a')  =  alph(a). 

Let  C csp  be  the  full  subcategory  of  the  category  of  all  CLTS s, 
consisting  of  those  that  are  CSP- systems.  It  is  easy  to  check  that 

Proposition  5.2  C csp  is  image  and  union  closed  and  hence  there 
is  a  final  CSP-system. 


I 


25 

5.2  The  CSP  system  of  non-chaotic  CSP  pro- 

i 

cesses 

We  give  the  mathematical  definition  of  the  notion  of  CSP  process 
that  is  in  [5],  using  our  notation  and  terminology.  We  have  incor¬ 
porated  an  extra  condition  that  is  needed  as  we  do  not  make  the 
simplifying  assumption,  made  in  [5],  that  the  alphabet  of  a  process 
must  be  finite. 

Definition  5.3  A  CSP  process  is  a  triple  (£,  F,  D)  where  £  C  J\f, 

F  C  £*  x  pow(C)  and  D  C  £’  such  that  if  T  =  {a  €  £*  |  (cr,  .Y)  € 

F  for  some  X}  then 

1.  T  is  a  trace-set. 

2.  For  each  a  £  T  the  set  {.V  C  C  |  ( <r,  X )  £  F}  is  a  refusals  set 
for  {a  €  £  |  (ra  £  T }  relative  to  £. 

3.  For  each  a  €  D 

(<7,  X)  £  F  for  all  X  C  £  and  oa  £  D  for  all  a  £  £. 

There  are  particular  processes  of  CSP  that  play  a  singular  role  in 
the  theory.  For  each  alphabet  £  C  J\f  there  is  the  chaotic  process 

CHAO Sc  =  (£,£'  x  pow(C),C*). 

These  are  processes  to  be  avoided  and  any  kind  of  divergence  gives 
rise  to  one  of  them.  For  our  purposes  it  will  be  convenient  to  leave 
them  out  of  the  universe  that  we  shall  characterise.  They  could  easily 
be  kept  in  by  switching  to  the  category  of  pointed  classes  (or  sets) 
where  we  have  been  using  the  category  of  classes.  There  may  even 
be  conceptual  reasons  for  feeling  that  they  may  be  best  not  included, 
although  the  effect  is  to  make  some  of  the  CSP  combinators  partial 
rather  than  total. 

So  we  want  to  define  a  CSP  system  V^sp  —  ( Pcsp •>  & csp ),  where 
Pcsp  is  the  set  of  non-chaotic  CSP  processes.  For  p  =  (£,  F,  D)  let 

4>csp{p )  =  ( 0Csp{p),{£Aa  €  C  |  (o.0)  £  F}.{.Y  |  (<,A')  €  F})). 

Here  i 

Ocsp(p)  =  {(a. p/a)  j  o  £  S(p)}, 
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where 

S(p)  =  {a  6  C  |  (a,  0)  €  F  and  a  ^  D} 
and,  for  (a,0)  G  F,  p/a  =  ( C,Fa,Da )  where 

Fa  =  {(a,  X)  j  (a<7,  X)  €  F}  and  DQ  =  {a  \  aa  G  D). 

It  should  be  clear  that  V^sp  *s  a  CSP  system.  In  fact  we  have  the 
following  result. 

•  Theorem  5-4  Vcsp  s  a  final  CSP  system. 

This  final  universe  characterisation  of  CSP  is  unlikely  to  be  the  best. 
It  focuses  on  the  deterministic  transition  relations  given  by  the  after 
operations  —/a,  where  p/a  is  the  process  that  behaves  like  p  after 
p  has  engaged  in  a,  provided  that  p  can  engage  in  a  and  p  does 
not  make  any  internal  choices.  A  better  comparison  with  CCS  may 
be  obtained  by  looking  at  the  non-deterministic  transition  relations 
that  combine  the  external  after  operation  with  internal  choice.  Also 
for  comparison  with  CCS  let  us  restrict  attention  to  the  processes 
having  a  fixed  alphabet  C.  Let  Act  =  £U  {r}  where  r  is  not  an  event 
name.  Let  Pqsp  be  the  set  of  all  the  processes  of  CSP  with  alphabet 
C.  In  C SP  the  relation  that  expresses  a  purely  internally  determined 
transition  is  given  by  the  following  definition.  If  p,  =  (£,  F,,  £),),  for 
i  =  1,2,  then 


Pi  E  P2  F|  D  F2  and  D\  D2- 

Note  that  this  relation  is  a  complete  partial  order  with  least  element 
CHAO  Sc-  When  mixing  internal  with  external  transitions  we  get 
the  following  transition  map  xl>cSP  on  Pcsp-  If  p  =  (£.  F,  D)  ^  Pcsp 
then 

i’cspip)  =  {(Qi<7)  I  ((<*>0)  €  F  and  pj o  Q  q)  or  (a  =  r  and  p  C  <7)}. 

It  is  easy  to  check  that  Vqsp  =  (  Pcsp 1  4'csp  ) ls  an  LTS  in  C2  which 
can  be  embedded  in  any  final  object  of  C2  and  hence  of  any  final  r- 
LTS ,  the  universe  of  CCS  processes.  We  end  by  posing  the  problem: 
Find  an  elegant  final  universe  characterisation  of  this  LTS. 


6  Conclusion 


In  this  paper  we  have  considered  several  final  universe  characterisa¬ 
tions  of  universes  of  processes.  We  expect  that  other  universes  can 
be  given  similar  treatments.  We  believe  that  the  presentations  of 
universes  in  this  style  will  help  to  unify  the  subject.  The  notion  of  a 
final  universe  seems  particularly  appropriate  for  process  algebra,  as 
it  captures  in  one  idea  several  aspects.  One  aspect  is  the  frequent  use 
of  a  general  scheme  of  mutual  recursion  for  defining  processes.  This 
is  captured  by  the  weak  finality  property  of  a  final  universe.  Another 
aspect  of  process  algebra  is  its  abst  ract  ness.  Processes  of  process  al¬ 
gebra  are  identified  when  they  have  the  same  abstract  behaviour. 
This  aspect  is  captured  by  the  strong  extensionality  property  of  a 
final  universe.  A  third  aspect,  that  is  really  a  combination  of  the  pre¬ 
vious  two,  is  that  the  combinators  of  process  algebra  can  be  uniquely 
defined  on  the  final  universe  and  do  not  need  to  be  explicitly  fea¬ 
tured  in  the  mathematical  structure  that  has  been  characterised.  In 
this  paper  we  have  illustrated  this  point  for  CCS.  The  combinators 
of  CSP  could  be  given  a  similar  treatment  .  But  we  have  left  this  for 
another  occasion  where  we  would  hope  to  have  a  better  treatment 
of  CSP  than  that  presented  here. 

We  end  with  a  final  remark  about  CCS.  We  have  seen  that  the 
CCS  combinators  can  be  defined  on  any  final  t-LTS  V.  In  fact, 
conversely,  the  transition  relations  associated  with  V  can  be  defined 
in  terms  of  binary  sums  and  the  prefix  operations  as  follows. 

p  — ♦  q  -<=4>  p  -f  a.q  =  p  and  T.q  =  q 

An  apparently  simpler  approach  would  be  to  modify  this  definition 
by  leaving  out  the  second  conjunct  T.q  =  q.  But,  as  far  as  I  can  see, 
the  resulting  LTS  would  not  be  so  easy  to  characterise.  What  is  still 
left  unanswered  is  the  intuitive  status  of  any  notion  of  labelled  tran¬ 
sition  on  abstract  processes.  It  would  be  pleasing  if  mathematically 
simple  definitions  could  be  linked  to  intuitively  satisfying  explana¬ 
tions  of  the  computational  ideas. 
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Abstract 

We  offer  a  symmetric  account  of  sequentiality,  by  means  of 
symmetric  algorithms,  which  are  pairs  of  sequential  functions, 
mapping  input  data  to  output  data,  and  output  exploration  trees  to  input 
exploration  trees,  respectively.  We  use  the  framework  of  sequential 
data  structures,  a  reformulation  of  a  class  of  Kahn-Plotkin’s  concrete 
data  structures.  In  sequential  data  structures,  data  are  constructed  by 
alternating  questions  and  answers.  Sequential  data  structures  and 
symmetric  algorithms  are  the  objects  and  morphisms  of  a  symmetric 
monoidal  closed  category,  which  is  also  cartesian,  and  is  such  that  the 
unit  is  terminal.  Our  category  is  a  full  subcategory  of  categories  of 
games  considered  by  Lamarche,  and  by  Abramsky-Jagadeesan, 
respectively. 

Following  Lamarche,  we  construct  a  comonad  corresponding  to 
contraction.  We  define  this  comonad  via  an  adjunction  between  the 
category  of  symmetric  algorithms  and  the  “old”  cartesian  closed 
category  of  sequential  algorithms,  defined  in  the  late  seventies  by  the 
author  and  Gerard  Berry.  Thus  sequential  algorithms  model  not  only 
typed  X-calculus,  but  also  intuitionistic  affine  logic,  with  connectives  ®, 
1,  -o,  x,  and  t. 

This  work,  while  finding  its  roots  in  the  study  of  sequentiality, 
presents  striking  correspondences  with  game-theoretic  concepts, 
introduced  by  Blass  in  the  early  seventies  in  a  very  different  context. 
The  aim  of  the  present  work  is  to  offer  a  systematic  connection  between 
sequentiality  and  games.  Also,  the  notion  of  symmetric  algorithm 
appears  to  be  new. 


1.  Introduction 

In  the  last  fifteen  years,  the  semantic  study  of  sequentiality  has  been  associated  with  the 
full  abstraction  problem  for  sequential  programming  languages  (CuMon,  BCL, 
CuSur].  And  indeed,  a  new  result  of  Cartwright,  Curien  and  Felleisen,  reported  in 
[CF,  CuObs,  CCF]  is  that  the  sequential  model  of  Berry  and  Curien  [BeCu  1 ,  CuMon] 
is  fully  abstract  for  SPCF,  an  extension  of  PCF  with  control  operators.  (PCF  is  a  typed 
k-calculus  with  recursion  and  arithmetic  operations  [Gun]).)  In  this  paper,  we  address 
the  relations  between  sequentiality  and  games.  Game-theoretic  interpretations  of  proofs 
have  become  a  recent  subject  of  interest,  after  Blass  recently  brought  old  work  of  his  to 
the  attention  of  the  linear  logic  research  community  [Blassl,  Blass2]. 

We  proceed  directly  in  the  definition/theorem  style,  trying  to  explain  concepts  as 
they  are  introduced,  both  from  the  point  of  view  of  games  and  of  sequentiality.  The 
work  presented  here  stands  as  a  prefix  to  wider  efforts  aiming  at  developing 
interpretations  of  all  or  part  of  linear  logic  based  on  the  ideas  of  sequential  algorithms 
[Laml,  Lam2],  and  games  [AJ2,  HO]. 

In  Section  2,  we  present  a  notion  of  sequential  data  structure,  which  is  very  close  to 
the  notions  of  game  in  the  sense  of  Blass,  or  of  Abramsky-Jagadeesan  (which  are 
themselves  variants  of  Conway’s,  or  Joyal’s  games  [Con,  Joy]),  and  to  the  notion  of 
sequential  domain  found  in  [Laml].  The  definition  of  sequential  data  structure  is  an 
appealing  reformulation  of  the  notion  of  filiform  concrete  data  structure  [CuMon]. 
Concrete  data  structures,  introduced  by  Kahn  and  Plotkin  [KP],  support  a  general 
definition  of  sequential  function,  which  itself  has  served  as  a  starting  point  to  the 
author’s  semantic  investigation  of  sequentiality.  Filiform  concrete  data  structures  were 
recognized  by  the  author  as  sufficient  for  the  purpose  of  modelling  a  language  like 
PCF.  But  we  had  not  remarked  the  essential  symmetry  of  this  special  class  of  concrete 
data  structures,  which  turns  out  to  be  instrumental  for  an  investigation  of  linear 
(actually,  affine)  sequentiality. 

In  Section  3,  we  define  morphisms  between  sequential  data  structures,  which  we 
call  affine  sequential  algorithms,  in  two  different  ways.  First,  as  “programs”  written  in 
the  style  of  the  language  CDS  of  Berry-Curien  [CuMon,  BeCu2].  Second,  as  pairs  of 
two  functions:  an  input-output  behaviour,  and  a  computation  strategy,  respectively. 
Such  pairs  (function,  computation  strategy)  are  already  central  in  [BeCul,  CuMon],  but 
these  works  present  us  with  no  real  symmetry  between  the  two  components  of  the 
pairs,  beyond  the  fact  that  a  computation  strategy  is  roughly  “going  from  the  output  to 
the  input”.  In  the  framework  of  sequential  data  structures,  and,  more  importantly,  in  the 
special  case  of  affine  sequential  algorithms,  a  computation  strategy  can  be  formulated 
as  a  (partial)  function  from  output  exploration  trees  to  input  exploration  trees,  and  the 
pairs  (function,  computation  strategy)  can  be  axiomatized  in  such  a  way  that  the  two 
functions  have  symmetric  properties.  At  the  best  of  our  knowledge,  this  axiomatization 
appears  for  the  first  time  here. 
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In  Section  4,  we  define  the  composition  of  two  affine  algorithms  as  the  pair  of  the 
compositions  of  their  two  components.  There  is  also  an  operational  definition  of  the 
composition  of  sequential  algorithms,  which  goes  back  to  [BeCu2,  CuMon  (Definition 
3.5.5)],  and  has  been  elegantly  reformulated  by  Abramsky  and  Jagadeesan  as  “parallel 
composition  +  hiding”  [AJ2].  We  show  that  we  obtain  a  symmetric  monoidal  closed, 
cartesian  category,  where  the  unit  of  the  tensor  is  also  terminal  (this  is  the  categorical 
characterization  of  affinity). 

In  Section  5,  we  reintroduce  Berry-Curien’s  sequential  algorithms  in  the  framework 
of  sequential  data  structures,  and  define  a  left  adjoint !  to  the  inclusion  functor  from  the 
category  of  affine  sequential  algorithms  to  the  category  of  sequential  algorithms.  By 
categorical  reasoning,  we  deduce  that  the  category  of  sequential  algorithms  can  be 
recast  as  the  CoKleisli  category  of  the  comonad  !  induced  by  this  adjunction.  Altogether 
we  have  a  model  of  affine  linear  logic. 

On  the  side,  following  a  suggestion  of  Streicher,  we  formulate  yet  another 
characterization  of  sequential  algorithms,  as  sequential  functions  that  propagate  and 
reflect  errors.  Error-sensitive  functions,  also  called  observably  sequential  functions, 
are  discussed  at  length  in  [CuObs,  CCF|.  The  new  feature  here  is  error  reflection.  The 
explicit  presence  of  error  data  in  the  domains  allows  us  to  witness  computation 
strategies  extensionally,  and  error  reflection  ensures  that  errors  serve  only  that  purpose. 

In  Section  6  we  collect  remarks  and  comparisons  with  related  work.  We  briefly 
discuss  ways  of  interpreting  other  connectives  of  linear  logic. 

Many  of  the  proofs  are  only  sketched,  but  the  parts  left  out  are  mostly  routine. 

Notation  (Paths) 

Given  a  partial  order  (X,£),  we  use  the  notation  xfy  to  denote  the  fact  that  x£X  and 
yEY  are  compatible,  that  is,  have  an  upper  bound.  We  use  “gib”  and  “lub”  as 
shorthands  for  “greatest  lower  bound”  and  “least  upper  bound”. 

Given  an  alphabet  A,  A*  denotes  the  set  of  words,  called  here  paths  over  A,  that  is 
of  strings  of  symbols  taken  from  A.  String  concatenation,  and  concatenation  of  a  string 
and  a  letter  of  A,  are  denoted  by  simple  juxtaposition:  ww',  aw,  wa,  etc...  The  empty 
string  is  written  c.  A  path  different  from  e  is  called  a  non-e  path.  The  paths  are  ordered 
by  the  prefix  ordering:  wsw’  if  w’  =  ww”  for  some  w”.  This  preorder  is  such  that 
every  two  paths  are  either  comparable  or  incompatible.  A  path  is  called  non-repetitive 
when  each  symbol  of  A  occus  at  most  once  in  it.  Given  a  subset  B  of  A,  for  any  word 
w  £  A*,  we  define  wf  B  as  follows: 

efB  =  e,  wdfB  =  wfB  ifd£A\B,  wdfB=(wfB)d  ifdEB 

We  shall  need  the  following  transformation  “copycat”  on  words,  which  we  define  as 
follows: 

copycat(s)  =  e,  copycat(wd)  =  copycat(w)dd 
Unless  explicitly  needed,  we  shall  treat  disjoint  unions  as  ordinary  unions. 
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2.  Sequential  data  structures 

The  following  definition  appears  also  in  [CCF]. 

Definition  (Sequential  data  structure) 

A  sequential  data  structure  structure  (sds  for  short)  M»<A,D,P)  is  given  by: 

-  a  set  A  of  addresses  a,  a],..., 

-  a  set  D  of  data  d,  dj,...  (A  and  D  are  assumed  disjoint), 

-  a  collection  P  of  non-e  alternating  paths  over  AUD  that  start  with  an  address. 

Thus,  the  paths  are  of  the  form  ajdi...dn.jandn  or  of  the  form  aid1...dn.1;.ndnan+j. 
Moreover,  it  is  assumed  that  P  is  closed  under  non-e  prefixes.  We  shall  loosely  call  the 
elements  of  P  paths  of  M,  or  even  simply  paths. 

We  call  move  any  element  of  A  or  of  D.  We  use  m  to  denote  a  move,  and  we  say 
that  m  belongs  to  M,  which  will  thus  also  serve  sometimes  to  denote  AUD.  A  path 
ending  with  a  datum  is  called  a  response ,  and  a  path  ending  with  an  address  is  called  a 
query.  We  use  p  (or  s,  or  t),  q,  and  r  to  range  over  paths,  queries,  and  responses, 
respectively.  We  denote  by  Q  and  R  the  sets  of  queries  and  responses,  respectively. 

A  strategy  (a  tree  in  the  terminology  of  [CCF],  a  state  in  the  terminology  of  [KP, 
CuMon])  of  M  is  a  subset  x  of  R  that  is  closed  under  response  prefixes  and  binary  non- 
e  gib's1: 

r^roEx,  r^r^e  =>  rtAr2Gx 

A  counterstrategy  is  a  non-empty  subset  of  Q  that  is  closed  under  query  prefixes  and 
under  binary  gib's.  We  use  x,  y, ...  and  a,  p,  ...  to  range  over  strategies  and  counter- 
strategies,  respectively. 

Both  sets  of  strategies  and  of  counter-strategies  are  ordered  by  inclusion.  They  are 
denoted  by  D(M)  and  D-*-(M),  respectively.  Notice  that  D(M)  has  always  a  minimum 
element  (the  empty  strategy,  written  0  or  1),  while  D^M)  has  no  minimum  element  in 
general.  D(M)  is  called  the  sds  domain  generated  by  M.  It  is  a  Scott  domain  [GuSco], 
and  more  precisely  a  di-domain  [Be,  BCL],  whose  compact  elements  are  the  finite 
strategies.  We  denote  by  D°(M)  the  set  of  finite  strategies  of  M.  The  dl-domains  enjoy 
the  property  that  any  compact  element  dominates  only  finitely  many  elements.  This 
property,  called  property  I,  is  essential  in  the  theory  of  stable  functions  [Be]  (see 
Section  3).  D-*-(M)  enjoys  the  same  properties  (except  for  the  existence  of  a  minimum 
element),  and  we  denote  by  D^fM)  the  set  of  finite  counter-strategies. 

Among  the  strategies  are  the  sets  of  response  prefixes  of  a  response  r.  By  abuse  of 
notation  we  call  still  r  the  resulting  strategy.  It  is  easy  to  see  that  those  r’s  are  exactly 
the  (non  1)  primer  elements  of  D(M). 


'Alternatively,  as  for  example  in  [AJ2],  we  could  have  included  the  empty  path  in  P,  and  have 
imposed  strategies  to  be  non-empty. 

2We  recall  that  an  element  p  is  prime  when  for  any  upper  bounded  XCD(M),  (psvX  =»  3x6EX  psx). 


We  end  this  definition  by  fixing  some  terminology.  Let  x  be  a  strategy. 

-  If  qd£x  for  some  d,  we  say  that  q  is  filled  in  x,  and  we  write  q£F(x). 

-  If  r€Ex  and  q=rc  for  some  c,  we  say  that  q  is  enabled  in  x. 

-  If  q  is  enabled  but  not  filled  in  x,  we  say  that  q  is  accessible  from  x,  and  we  write 
q£A(x). 

We  define  likewise  r€F(a)  and  rEA(a)  for  a  response  r  and  a  counterstrategy  a.  O 

A  more  geometric  reading  of  this  definition  is  that  an  sds  is  a  labelled  forest,  where 
the  ancestor  relation  alternates  addresses  and  data,  and  where  the  roots  are  labelled  by 
addresses. 

We  give  some  examples  of  sds’s  (see  also  [CCF]).  A  flat  domain  is  described  as 
the  set  of  strategies  of  an  sds  with  a  single  address  ?  and  a  collection  of  paths  of  length 
not  greater  than  2.  For  example,  in  Figure  1,  we  represent  the  flat  domain  of  natural 
numbers. 

? 


?0  ?n 

Figure  1:  Flat  domains  of  natural  numbers 

Figure  2  represents  the  cartesian  product  Bool2  of  the  boolean  domain  with  itself 
(“x”  and  “y”  stand  for  the  “coordinates”  x  and  y,  thinking  of  a  function  f(x,y)  defined 
on  this  domain). 

x  y 


xT  xF  yT  yF 

Figure  2:  The  sds  Bool2 

The  elements,  say,  (T,±)  and  (T,F),  of  Bool2  are  represented  by  the  strategies  (xT) 
and  {xT,yF},  respectively. 

A  more  sophisticated  example  is  provided  by  the  partial  terms  over  a  signature  S 
such  as  {a0,f',g2},  where  the  superscripts  are  the  arities.  The  partial  terms  over  this 
signature  are  the  strategies  of  the  sds  shown  in  Figure  3,  whose  addresses  are  the 
occurrences,  and  whose  data  are  the  function  symbols. 
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and  here  is  a  counterstrategy: 
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Figure  S:  A  counterstrategy 

A  counterstrategy  can  be  read  as  an  exploration  tree,  or  a  pattern.  The  root  is 
investigated  first;  if  the  function  symbol  found  at  the  root  is  g,  then  its  left  son  is 
investigated  next;  otherwise,  if  the  function  symbol  found  at  the  root  is  f,  then  its  son  is 
investigated  next,  and  the  investigation  goes  further  if  the  symbol  found  at  node  1  is 
either  f  or  g. 

A  more  geometric  reading  of  the  definitions  of  sds,  strategy  and  counterstrategy  is 
the  following: 

-  an  sds  is  a  forest, 

-  a  strategy  is  a  sub-forest  which  is  allowed  to  branch  only  at  data, 

-  a  counterstrategy  a  is  a  non-empty  sub-tree  (if  it  contained  c  and  d  as  paths  of 

length  1,  they  should  contain  their  gib,  which  is  e,  contradicting  aCP) 

which  is  allowed  to  branch  only  at  addresses. 

The  pairs  address  /  datum,  query  /  response,  and  strategy  /  counterstrategy  give  to 
sds’s  a  large  flavour  of  symmetry.  These  pairs  are  related  to  other  important  dualities  in 
programming:  Lamarche  [Lam2],  and  Abramsky  and  Jagadeesan  [AJ1]  have  pointed 
out  the  correspondence  query  -  input  (and  response  -  output),  and  the  correspondence 
strategy  -  constructor  (and  counterstrategy  -  destructor),  respectively. 

It  is  thus  tempting  to  conceive  of  the  counter-strategies  of  an  sds  M  as  the  strategies 
of  a  dual  structure  whose  addresses  are  the  data  of  M  and  whose  data  are  the  addresses 
of  M.  This  can  be  done  in  a  number  of  ways.  For  example,  Abramsky  and  Jagadeesan 
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relax  the  condition  that  paths  start  with  an  address:  in  their  framework,  given  a  structure 
(A,D,P)  (a  game,  in  their  terminology),  (D,A,P)  is  another  game,  its  dual,  or  its  linear 
negation3.  More  restrictively,  in  his  second  work  on  sequentiality  and  games  [Lam2], 
Lamarche  considers  structures  of  either  of  two  polarities  °  and  •,  which  stand  for 
“address”  and  “datum”,  or  “input”  and  “output”  (in  the  sense  of  Danos-R6gnier  [Dan, 
MR,  Reg]).  The  sds’s  are  exactly  Lamarche’s  games  of  polarity  •.  The  negation  of  an 
sds  has  polarity  o.  Lamarche  represents  the  polarity  •  explicitly,  by  adding  a  root  of  that 
polarity  to  the  forest  representation  of  one  of  our  sds’s4.  A  generic  sds  viewed  in  this 
way  is  represented  in  Figure  6. 


Figure  6:  A  game  of  polarity  • 

A  representation  of  the  negation  of  this  generic  sds  is  obtained  by  changing  each 
label  to  its  dual.  Lamarche’s  notation  presents  some  advantages.  It  enhances  the 
symmetry  of  strategies  and  of  counter-strategies.  Strategies  are  non-empty  subtrees  that 
branch  only  at  nodes  labelled  •,  and  counter-strategies  are  non-empty  subtrees  that 
branch  only  at  nodes  labelled  o.  Lamarche’s  convention  can  be  fixed  in  notation  by 
reformulating  the  definition  of  sds  as  follows:  replace  D  by  the  disjoint  union  of  D  and 
of  a  distinguished  element .,  and  require  now  strategies  to  be  non-empty  sets  of  paths. 
We  shall  call  this  a  Lamarchian  sds.  We  say  that  the  data  have  polarity  •  and  that  the 
addresses  have  polarity  o. 

We  now  offer  a  reading  of  sds’s  as  games.  An  sds  can  be  considered  as  a  game 
between  two  persons,  the  opponent  and  the  player.  The  data  are  the  player’s  moves, 
and  the  addresses  are  the  opponent’s  moves.  A  player’s  strategy  consists  in  having 
ready  answers  for  (some  of)  the  opponent’s  moves.  Counter-strategies  are  just 
opponent’s  strategies.  The  following  proposition  makes  the  analogy  more  suggestive. 

Proposition  ( Play) 

Let  M  be  an  sds,  x  be  a  strategy  and  a  be  a  counterstrategy  of  M,  one  of  which  is 
finite.  We  define  xla  as  the  set  of  paths  p  which  are  such  that  all  the  response  prefixes 
of  p  are  in  x  and  all  the  query  prefixes  of  p  are  in  a.  Then  xla  is  totally  ordered,  and 
can  be  confused  with  its  maximum  element,  which  is  uniquely  characterized  as  follows: 


■^However,  in  (AJ2],  the  counter- strategies  of  (A,D,P)  are  not  strategies  of  (D,A,P):  in  their 
framework,  ail  the  paths  of  a  strategy  start  with  an  opponent’s  move.  See  also  section  6. 

^This  root  just  corresponds  to  the  empty  path,  missing  in  P  (cf.  footnote  1). 


-  xla  is  the  unique  element  of  xf)A(a)  if  xla  is  a  response, 

-  xla  is  the  unique  element  of  aPA(x)  if  xla  is  a  query. 

If  xla  is  a  response,  we  say  that  x  wins  against  a,  and  we  denote  this  predicate  x<a. 
If  xla  is  a  query,  we  say  that  a  wins  against  x,  and  we  write  x>a,  thus  >  is  the 
negation  of  <.  To  stress  the  winner,  we  often  write  xPa  for  xla  when  a  wins,  and 
x<la  for  xla  when  x  wins. 

Proof:  Suppose  that  Pi,P2  E  xla.  We  show  that  p}  and  p2  are  comparable,  by 
contradiction.  Thus  suppose  pj  AP2  <  pi  and  ps  AP2  <  pj.  Let  q  j  be  the  largest  query 
prefix  of  p j,  let  rj  be  the  largest  prefix  of  pj  which  is  a  response  or  e,  and  let  q2  and  r2 
be  defined  similarly.  We  show: 

PlAP2  =  <IiA<l2  =  rl  Ar2 

One  direction  follows  by  the  monotonicity  of  a:  qjAq2£  P|Ap2.  For  the  other 
direction,  we  remark  that  by  the  maximality  of  q].  Pi  Ap2<  P]  implies  piAp^sqj;  and, 
similarly,  we  deduce  pjAp2  s  q2,  which  completes  the  proof  of  pjApo  =  qj  Aq2.  The 
equality  pjAp2  =  rjAr2  is  proved  similarly.  But  by  definition  of  a  strategy  and  of  a 
counterstrategy,  qjAq2  is  a  query,  and  rjAr2  is  either  a  response  or  e.  Thus  the 
equalities  just  proven  imply  that  pjAp2  is  of  both  odd  and  even  length:  contradiction. 
Thus  xla  is  totally  ordered.  It  has  a  maximum  element,  since  the  finiteness  of  x  or  a 
implies  the  finiteness  of  xla. 

To  prove  the  rest  of  the  statement,  we  first  observe  that  xHA(a)  C  xla  and  aTlA(x) 
C  xla,  by  definition  of  xla.  We  next  show  that  xflA(a)  and  aflA(x)  have  at  most  one 
element.  If  Pi,p2  £  xDA(a),  then  by  the  first  part  of  the  statement  pj  and  p2  are 
comparable,  say  pj£p2.  But  if  p2EA(a)  and  Pi<p2,  then  pjEF(a),  contradicting  the 
assumption  piEA(a).  Hence  pi=p2.  The  proof  is  similar  for  aflA(x).  Finally,  if  xla 
viewed  as  a  path  is  a  response,  then  xla  £  x,  xla  is  enabled  in  a,  and  the  maximality  of 
xla  implies  that  xla  is  not  filled  in  a.  Hence  xla  £  xftA(a),  which  by  what  precedes 
can  be  rephrased  as  xflA(a)  =  {xla}.  □ 

The  path  xla  formalizes  the  interplay  between  the  player  with  strategy  x  and  the 
opponent  with  strategy  a.  If  xla  is  a  response,  then  the  player  wins  since  he  made  the 
last  move,  and  if  xla  is  a  query,  then  the  opponent  wins.  Here  is  a  game-theoretic 
reading  of  xla.  At  the  beginning  the  opponent  makes  a  move  a:  its  strategy  determines 
that  move  uniquely.  Then  either  the  player  is  unable  to  move  (x  contains  no  path  of  the 
form  ad),  or  his  strategy  determines  a  unique  move.  The  play  goes  on  until  one  of  x  or 
a  does  not  have  the  provision  to  answer  its  opponent’s  move.  As  an  example,  if  x  and 
a  are  the  strategy  and  counterstrategy  of  the  sds  of  partial  terms  which  we  have  drawn 
in  Figure  4  and  Figure  5,  then  xla  is  the  path  shown  in  Figure  7,  and  the  player  wins. 


a 


Figure  7:  A  play 

The  result  xla  of  the  interplay  between  x  and  a  is  reminiscent  of  the  models  of 
linear  logic  based  on  linear  algebra  proposed  by  Lafont  and  Streicher.  In  this  rough 
comparison,  x  is  a  “vector”,  and  a  is  a  “form”.  But  the  “evaluation”  xla  does  not  take 
its  value  in  the  reference  “field”,  but  rather  either  in  the  vector  space  or  in  its  dual.  Thus 
in  a  sense,  the  games  considered  here  or  in  the  works  of  Blass,  Abramsky-Jagadeesan 
and  Lamarche  are  richer  than  the  models  considered  in  [LS], 

Precise  connections  between  sequential  data  structures  and  Kahn-Plotkin’s  concrete 
data  structures  are  given  in  [CCF,  appendix].  We  only  briefly  recall  the  definition  of 
concrete  data  structure.  A  concrete  data  structure  is  specified  by  four  components: 

-  a  set  C  of  cells, 

-  a  set  V  of  values, 

-  a  subset  E  C  CxV  of  events,  and 

-  a  relation  h  of  enabling  between  finite  collections  of  events  and  cells. 

The  states  of  a  concrete  data  structure  are  the  subsets  x  of  E  that  are  consistent  and 
safe,  that  is,  such  that  (c,V]),(c,v2)  £  x  implies  vj=v2,  and  such  that  if  (c,v)  £  x,  then 
x  contains  an  enabling  of  c.  Sequential  data  structures  correspond  to  the  filiform 
concrete  data  structures,  in  which  each  enabling  relates  at  most  one  event  with  a  cell.  In 
a  filiform  cds,  there  is  a  hidden  symmetry  between  an  event  and  an  enabling:  (c,v) 
represents  “v  after  c”,  and  (c  j,V|)  1-  c  represents  “c  after  vj”.  Strategies  correspond  to 
states:  safety  is  built-in  an  sds,  and  the  consistency  is  the  condition  of  closure  under 
binary  gib’s. 

In  [AJ2,  HO],  and  also  in  [Lam2],  attention  is  restricted  to  winning  strategies:  in  a 
winning  strategy  the  player  has  ready  answers  against  any  strategy  of  the  opponent. 
Winning  strategies  provide  a  notion  of  totality  that  is  important  to  get  completeness 
results.  We  briefly  come  back  to  winning  strategies  in  the  last  section. 


We  end  the  section  with  a  few  elementary  lemmas. 

Lemma  (x<a) 

Let  M  be  an  sds,  x  be  a  strategy  and  a  be  a  counterstrategy  of  M.  The  following 
properties  hold: 

(1)  If  x<a,  then  (x^lal-da. 

(2)  If  x<a  and  x^y,  then  y<a  and  x4la  -  y<la. 

(3)  If  x>a  and  ysx,  then  y>a. 

Similar  implications  hold  with  the  assumptions  x>a,  x>a  and  asp,  x<a  and  o^p, 
respectively. 

Proof:  The  properties  (1)  and  (2)  follow  obviously  from  the  characterization  of  x'la  as 
the  unique  element  of  xHA(a).  Property  (3)  is  a  consequence  of  (2)  by  contraposition. 
□ 

Lemma  f<-Fl 

Let  M  be  an  sds,  x  be  a  strategy  and  q  be  a  query  of  M.  The  following  implications 
hold: 

(1)  qGF(x)  =>  x<q5 

(2)  qEA(x)  =>  x>q 

(3)  qEF(x),  ysx  and  y<q  =>  qEF(y) 

Similar  implications  hold  with  a  counterstrategy  and  a  response  of  M. 

Proof:  If  q€EF(x),  then  qdEx  for  some  d,  hence  qd  E  xfTA(q),  which  means  x<q.  If 
qEA(x),  then  q  E  qf)A(x),  which  means  x>q.  If  qEF(x),  ysx  and  yOq,  let  qjdj  be  the 
unique  element  of  yHA(q).  In  particular,  qjsq.  Suppose  qj<q:  then  qjdj xqd  =  qj.  But 
since  qjdj,  qd  E  x,  their  gib  cannot  be  a  query,  by  definition  of  a  strategy: 
contradiction.  □ 

Lemma  (A a) 

Let  M  ■  (A,D,P)  be  an  sds,  x  be  a  strategy  and  let  qEA(x).  Then,  for  any  rEx,  q  Ar  is  8 
or  is  a  response,  and  thus,  for  any  qdEP,  xU{qd}  is  a  strategy.  Similarly,  if  a  is  a 
counterstrategy  and  rEA(a),  then,  for  any  qEa,  rAq  is  a  query. 

Proof:  Let  q«rja.  We  claim: 

qArs  rj 

Suppose  qAr  rj.  Then  qAr  =  q  since  qAr  s  q«rja.  Hence  q<r,  contradicting  qEA(x): 
this  proves  the  claim,  which  in  turn  implies  qAr  =  rjAr.  The  conclusion  follows,  since 
by  definition  of  a  strategy  rj  Ar  is  e  or  is  a  response.  □ 

^Tbe  converse  is  not  true:  we  may  have  x^cpqjd]  and  qjdjcq,  with  d  i^dj 


3.  Affine  sequential  algorithms 

We  now  turn  to  morphisms  between  sequential  data  structures.  We  first  recall  Kahn- 
Plotkin’s  definition  of  a  sequential  function,  which  we  formulate  here  in  the  framework 
of  sequential  data  structures. 

Definition  (Sequential  function) 

Let  M  and  M’  be  two  sds’s.  A  function  f:D(M)-*D(M,)  is  called  sequential  if  it  is 
continuous  and  if  for  any  pair  (x,a’)  E  DXMlxD^fM*)  such  that  f(x)>a\  but  f(z)<a’ 
for  some  zsx,  there  exists  aED10(M),  called  sequentiality  index  of  f  at  (x,a’),  such 
that  xt>a  and  for  any  yix,  f(y)<a’  implies  y<a.  It  is  an  easy  exercise  in  the 
framework  of  sds’s  to  show  that  we  obtain  an  equivalent  definition  replacing  a’  by 
q’EQ’,  a  by  qEQ,  f(x)>a’  by  q’EA(f(x)),  and  x>a  by  qEA(x).  It  is  in  this  form  that 
the  definition  was  first  given.  O 

The  definition  is  illustrated  in  Figure  8.  A  sequentiality  index  represents  an 
unavoidable  computation. 


Figure  8:  Sequential  function 

In  [BeCul,  CuMon]  we  have  shown  that  sequential  functions  do  not  form  a 
cartesian  closed  category.  The  basic  idea  behind  Berry -Curien’s  sequential  algorithms 
is  to  assign  to  each  pair  (x,q’)  such  as  in  Figure  8  a  choice  of  a  sequentiality  index,  as 
suggested  by  the  upper  fat  dashed  arrow  of  Figure  8.  We  can  best  capture  this  idea  with 
examples,  taken  from  [BeCu2,  CuMon].  Consider  the  following  function  left_or, 
which  has  a  unique  algorithm  (also  called  left_or)  associated  with  it.  Its  input  domain  is 
the  sds  Bool2  of  Figure  2,  and  we  take  the  following  representation  for  its  output 
domain: 

Bool  ■  ({?},{T,F},{?,?T,?F}). 

The  urique  sequentiality  index  at  (0,?)  is  x;  at  {xT},  left_or  outputs  T,  that  is,  ?T  E 
left_or({xT});  at  {xF},  the  unique  sequentiality  index  of  left_or  is  y;  finally,  ?T  E 
left_or({xF,yT})  and  ?F  E  left_or({xF,yF}).  This  can  be  summarized  as  a  “program”: 
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left_or  = 

request  ?  valof  x 
isT  output  T 
if  F  valof  y 

isT  output T 
is  F  output  F 


In  contrast,  there  are  two  different  algorithms  computing  the  strict  version  strict_or  of 
the  disjunction  function  (strict_or  has  two  sequentiality  indices  at  (0,?)): 


left_strict_or  = 

request  ?  valof  x 
is  T  valof  y 

isT  output T 
isF  output  T 
is  F  valof  y 

isT  output T 
is  F  output  F 


right_strict_or  = 

request  ?  valof  y 
is  T  valof  x 

isT  output T 
isF  output T 
is  F  valof  x 

isT  output T 
is  F  output  F 


These  examples  should  serve  as  a  guide  to  the  following  definition. 


Definition  (Affine  exponent  sds ) 

Let  M  -  (A,D,P)  and  M’  -  (A\D\F)  be  two  sds’s.  We  define  the  sds  M^>M’  - 
(A”,D”,P”)  as  follows: 

-  A”  is  the  disjoint  union  of  A’  and  D, 

-  D”  is  the  disjoint  union  of  D’  and  A, 

-  P”  consists  of  the  alternating  paths  s  starting  with  an  a’  £A’  which  are  such  that: 

-sfM’GP’  and  (sfM  =  e  or  sfMGP), 

-  P”  contains  no  path  of  the  form  saa’. 

We  call  affine  sequential  algorithms  (or  affine  algorithms)  from  M  to  M’  the  strategies 
of  M-°M\  The  identity  sequential  algorithm  id^  G  D(M-°M)  is  defined  as  follows 
(recall  the  function  copycat  from  Section  1): 

-  idM  =  {copycat(r)l  r  is  a  response  of  M).  O 


Remark:  The  constraints  of  the  definition  also  impose  that  P”  contains  no  path  of  the 
form  sd’d.  Suppose  it  does.  Then,  since  sd’df  M  G  P,  s  contains  a  prefix  sta  such  that 
sd’dfM  =  (sjaf  M)d.  Let  m  be  the  move  following  Sja  in  sd’:  m  cannot  belong  to  D 
since  sd’dfM  =  (sjafM)d,  and  cannot  belong  to  A’  by  the  definition  of  M-°M\ 

A  generic  strategy  of  M-°M’  is  drawn  in  Figure  9,  with  the  tags  “request”  and  “is” 
for  the  disjoint  components  of  A”,  and  the  tags  “output”  and  “valof’  for  the  disjoint 
components  of  D”. 


request  a' 


request  a',  ...  request  a'm 


Figure  9:  Generic  affine  algorithm 

The  constraint  “no  saa’  ”  can  be  more  informally  formulated  as  follows:  a  “valof  a” 
which  is  not  an  end  point  of  the  algorithm  must  be  followed  by  an  “is  d”.  This 
constraint  is  the  essence  of  sequential  computation.  Thinking  of  “valof  a”  as  a  call  to  a 
subroutine,  the  principal  routine  cannot  proceed  further  until  it  receives  the  result  “is  d” 
from  the  subroutine. 

We  have  framed  a  portion  of  the  algorithm  that  is  only  concerned  with  the 
exploration  of  the  input.  If  the  tags  are  removed,  this  portion  reads  as  a  counterstrategy 
of  M,  and  the  rest  of  the  drawing  constitutes  a  strategy  of  M’: 


e 


Thus  an  affine  sequential  algorithm  appears  as  a  “combination”  of  output  strategies 
and  of  input  exploration  trees. 


Remark:  Our  convention  that  unions  are  always  disjoint  is  violated  in  the  formula 
defining  id^.  More  appropriately,  we  should  have  used  the  tags:  thus,  say  a  path  ad  of 
M  becomes  a  path  “request  a  valof  a  is  d  output  d”.  Later  in  this  section  we  shall  give  a 
game-theoretic  interpretation  of  id^ 

Although  the  programs  for  left_or,  left_strict_or  and  right_strict_or  have  served  as 
a  motivation  for  Definition  Affine  exponent  sds,  they  are  not  examples  of  affine 
sequential  algorithms,  but  only  of  sequential  algorithms,  which  we  shall  recall  in 
Section  5.  Take  for  example  the  “path"  ?xFyTT  in  left_or:  its  projection  xFyT  on  the 
input  sds  is  not  a  path  of  that  sds,  but  rather  a  sequentialization  of  two  paths  xF  and  yT. 
This  is  what  makes  the  difference  between  affine  and  general  sequential  algorithms.  An 
algorithm  asks  successive  queries  to  its  input,  and  proceeds  only  when  it  gets 
responses  to  these  queries.  An  affine  algorithm  is  required  to  ask  these  queries  in  a 
monotonous  way:  each  new  query  must  be  an  extension  of  the  previous  one  The  “unit” 
of  resource  consumption  is  thus  a  sequence  of  queries/responses  that  can  be  arbitrarily 
large  as  long  as  it  builds  a  path  of  the  input  sds.  The  disjunction  algorithms  are  not 
affine,  because  they  may  have  to  ask  successively  the  queries  x  and  y,  which  are  not 
related  by  the  prefix  ordering. 

Our  definition  of  affine  exponent  is  the  same  as  that  given  by  Abramsky- 
Jagadeesan.  It  is  equivalent  to  that  given  by  Lamarche  in  [Laml],  restricted  to  what  we 
call  here  Lamarchian  sds’s.  According  to  Lamarche: 

-  The  moves  of  the  linear  exponent  are  pairs  (m,m’)  of  moves  m  in  M  and  m’  in  M’ 
whose  polarities  are  not  in  the  combination  (<>,•). 

-  The  moves  of  polarity  °  and  those  of  polarity  are  as  indicated  by  Table  1: 

—o*o 

•  •  o 

o  • 

Table  1:  Polarities  for  — ° 

-  One  moves  only  on  one  side  at  a  time:  if  (m,m’)  is  a  move,  then  its  successor  is  a 
move  of  the  form  (n,m’>  or  (m,n’). 

-  As  in  our  definition,  it  is  required  that  the  two  projections  of  a  path  of  M-°M’  are 
paths  in  M  and  M\  respectively. 

In  Figure  10  we  represent  the  generic  algorithm  of  Figure  9,  viewed  as  a 
Lamarchian  one. 
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(b,a') 

I 

(e.a1) 


Figure  10:  A  generic  Lamarchian  algorithm 

Lamarche’s  table  of  polarities  elegantly  captures  the  constraints  of  our  definition: 
the  first  move  after  the  root  (•,•)  must  have  the  form  {<>,•)  or  (.,o),  since  only  one 
component  moves  at  a  time.  But  the  combination  (<>,•)  is  forbidden;  hence  an  algorithm 
starts  with  a  “request  a’  For  the  same  reason,  a  (°,o)  move  can  only  followed  by  a 
(•,»)  move,  and  this  enforces  the  constraint  that  a  “valof  a”  can  only  be  followed  by  an 
is  a  . 

Table  1  is  helpful  in  designing  the  tensor  product  of  two  sds’s.  Let  us  briefly 
anticipate  Section  4.  By  simple  logical  manipulations,  we  get  the  following  table  of 
polarities  for  the  tensor 

®  •  o 

•  •  o 

o  o 

Table  2:  Polarities  for  ® 

(This  table  is  obtained  through  the  encoding  of  M®M’  as  (M-oM’-1-)-1-.).  It  is  directly 
suggestive  of  a  game-theoretic  interpretation:  M  and  M’  can  be  thought  of  as  two 
distinct  boards,  on  which  two  persons,  the  opponent  and  the  player,  can  play.  The 
opponent  has  the  o  moves  on  both  boards,  and  the  player  has  the  •  moves  on  both 
boards.  The  table  indicates  that  only  the  opponent  has  the  freedom  to  play  his  next 
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move  on  the  board  of  his  choice.  Indeed,  an  opponent’s  move  is  either  a  (°,»)  or  a  (•,<>) 
move;  if  it  is  a  (»,.)  move,  this  indicates  that  the  opponent  last  played  on  the  first  board 
and  that  the  player  has  to  move  next  on  the  same  board.  A  similar  analysis  can  be  done 
for  a  (»,o)  move.  In  contrast,  a  player’s  move  is  a  (•,•)  move,  and  can  be  followed  by 
either  sort  of  opponent’s  move,  which  indicates  that  the  opponent  can  play  on  either 
game. 

With  this  interpretation  in  mind,  we  can  read  the  identity  algorithm  id^  as  a  “copy¬ 
cat”  counterstrategy,  as  it  is  called  in  [AJ2J.  We  first  look  at  M-°M  as  (M®M-L)-L. 
Hence  we  can  describe  id^  as  a  counterstrategy  of  M®MX.  It  is  convenient  to  think  of 
the  player  of  M®MX  as  a  team  of  two  players  -  one  on  the  board  M,  the  other  on  the 
board  Mx  -,  who  play  against  the  opponent.  Following  Lafont  [LS]  (see  also  [AJ2]), 
we  call  these  two  players  Karpov  and  Kasparov.  We  also  consider  M  and  Mx  as  two 
copies  Left  and  Right  of  the  same  board,  with  the  following  distribution  among  the 
participants,  as  illustrated  in  Figure  11. 

-  Karpov  plays  black  on  Left, 

-  Kasparov  plays  white  on  Right, 

-  the  opponent  plays  either  white  on  Left  or  black  on  Right. 


Left  board 


Right  board 


Kasparov's  moves:  j  f 
Karpov's  moves: 


Opponent's  moves: 


wL and  1m 


Figure  11:  The  identity  algorithm 

Table  2  forces  Kasparov  to  move  first  (request  a).  The  opponent  immediately  copies 
this  move  on  Left  (valof  a),  leaving  to  Karpov  the  task  of  finding  a  black  move  on  Left 
as  a  response.  If  Karpov  has  succeeded  (is  d),  the  opponent  immediately  copies  the 
move  on  Right  (output  d),  and  symmetrically  leaves  to  Kasparov  the  task  of  thinking 
about  the  appropriate  next  move.  It  is  clear  that  with  this  courageous  strategy,  the 
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opponent  is  winning...  The  positions  1  through  4  in  Figure  1 1  correspond  to  the  four 
successive  steps  “request  a”,  “valof  a”,  “is  d”,  and  “output  d“. 

We  come  back  to  affine  sequential  algorithms.  We  state  a  key  technical  property. 

Lemma  (Injectivity) 

(1)  For  any  affine  sequential  algorithm  (j>,  the  map  s  »-*  (sfM, sfM’)  is  an  order- 
isomorphism  from  <j>  to  its  image,  ordered  componentwise  by  the  prefix  ordering. 

(2)  If  two  elements  S]  and  s2  of  <}>  are  such  that  (sjfM)A(s2fM)  is  either  £  or  is  a 
response,  and  if  (Sj  fM’)  and  (s2fM’)  are  comparable,  then  Sj  and  s2  are  comparable. 

(3)  If  two  elements  Sj  and  s2  of  <j»  are  such  that  (SjfM’)A(s2fM’)  is  a  query,  and  if 
(stfM)  and  (s2fM)  are  comparable,  then  st  and  s2  are  comparable. 

Proof:  We  first  show  that  the  first  part  of  the  statement  is  implied  by  the  second  (or  the 
third).  It  is  obvious  that  s  •-*  (sf  M,sfM’)  is  monotonous.  Suppose  that  SjfM  ^  sfM, 
s1fM’ s  sfM’,  and  st^s.  Then  sjSSj  by  the  second  part  of  the  statement,  and  by 
monotonicity  sfM  s  sjM,  sfM’  ^  s^M’.  Hence  S[fM  =  sfM,  SjfM’  =  sfM’,  and 
s=sj  follows,  since  s<S[  would  imply  either  sf  M  <  s j  f  M  or  sf  M’  <  S!  f  M\ 

We  now  prove  the  second  part  of  the  statement.  Let  t  =  sj  as2,  which  is  e  or  is  a 
response,  since  <j>  is  a  strategy.  It  t=sj,  then  Sj  £  s2.  Similarly,  if  t=s2  then  s2  s  Sj. 
Thus  we  may  assume  for  the  rest  of  the  proof  that  t<Sj  and  t<s2.  If  t  has  the  form  tja, 
then  t<Sj  and  t<So  imply  that  t1ad1  <  Sj  and  tjad2  s  s2  for  some  djand  d2,  which  must 
be  different  since  ^a  =  SiAS2:  but  then  (SjfM)A(s2fM)  is  a  query,  contradicting  the 
assumption.  If  t  is  £  or  has  the  form  tjd\  then  t<Sj  and  t<So  imply  that  ta’]  <  s(  and 
ta’2  <  Si  for  some  a’j  and  a’2,  which  must  be  different  since  t  =  S]  asi:  this  contradicts 
the  assumption  that  (sj  fM’)  and  (sifM’)  are  comparable. 

The  third  part  of  the  statement  is  proved  similarly.  □ 

Remark:  The  following  observation  is  useful:  any  pair  (sfM,sf  M’)  in  the  image  of  <j> 
under  the  mapping  s  >-*  (sfM, sfM’)  is  either  a  pair  of  responses  or  a  pair  of  queries.  It 
is  a  pair  of  responses  if  and  only  if  s  ends  with  a  datum  d’;  it  is  a  pair  of  queries  if  and 
only  if  s  ends  with  an  address  a. 

The  definition  of  an  affine  algorithm  as  a  strategy  of  M-°M’  is  not  denotational  in 
character.  It  is  clearly  suited  to  the  proof  of  existence  of  an  internal  homset  in  the 
category  of  affine  algorithms,  which  will  be  carried  out  in  the  next  section,  but  one 
would  wish  a  mere  abstract  functional  description  of  the  morphisms  of  our  category. 
Fortunately,  there  is  one,  which  we  state  after  some  preliminaries. 

First,  we  call  a  function  f:  D(M)-*D(M’)  prime-continuous  when  it  is  monotonous 
and  satisfies  the  following  condition: 

-  if  r’  E  f(x),  then  there  exists  r  E  x  such  that  r’  E  f(r). 
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It  is  easy  to  see  that,  equivalently,  a  prime-continuous  function  can  be  defined  as  a 
continuous  function  preserving  lubs  of  pairs  of  compatible  elements.  These  definitions 
apply  also  to  (partial)  functions  g:  Di(M,)-“I>i{M).  (By  a  monotonous  partial  function 
g,  we  mean  that  if  and  g(a)  is  defined,  then  g(P)  is  also  defined  and  g(a)sg(P).) 

The  trace  of  a  continuous  function  f:  D(M)— *D(M’)  is  the  relation  Trace(f)  C 
D°(M)xD°(M’)  consisting  of  the  pairs  (x,x’>  such  that  x’  <.  f(x)  and  x’  f.  f(y)  for  y<x. 
The  trace  of  g:  D-L(M’)-‘D-L(M)  is  defined  likewise.  The  functions  that  we  shall 
consider  will  always  be  stable,  which  for,  say,  f:  D(M)— »CKM’)  means: 

-  if  (Xj,x’)  G  Trace(f),  (x2,x’)  G  Trace(f),  and  Xj  fx-,,  then  Xj=x2. 

Equivalently,  and  more  abstractly,  stability  is  the  preservation  of  gibs  of  pairs  of 
compatible  elements.  Another  equivalent  definition  of  stability  is  in  terms  of  minima: 

Notation  (M(f,x,x')) 

Let  M  and  M’  be  sds’s,  and  let  f  be  a  continuous  function  from  D(M)  to  D(M’).  If 
xGD(M),  x’GD°(M’),  and  x’sf(x),  then  we  denote  by  M(f,x,x’)  the  minimum  y^x,  if 
it  exists,  such  that  x’^f(y). 

If  f  is  stable,  then  M(f,x,x’)  exists:  a  minimal  y  can  be  found  by  continuity  and  well 
foundedness,  and  the  uniqueness  follows  from  stability.  Clearly,  (M(f,x,x’),x’>  G 
Trace(f).  Conversely,  the  existence  of  all  the  M(f,x,x’)’s  implies  the  preservation  of 
gibs  of  pairs  of  compatible  elements  [Be,  CHL,  CuMon].  Also,  one  proves  easily  that 
sequentiality  implies  stability  (see  [CuMon]). 

We  call  affine  a  stable  and  prime-continuous  (partial)  function.  The  interest  of  this 
combination  of  preservation  properties  lies  in  the  following  lemma. 

Lemma  (Trace  composition) 

Let  f  and  g  be  two  composable  affine  functions.  The  composition  of  f  and  g  is  itself 
affine,  and  its  trace  is  the  relation  composition  of  the  traces  of  f  and  g. 

Proof:  Let,  say,  f:  D(M)— ►D(M’)  and  g:  D(M’)-»D(M”).  The  first  part  of  the  statement 
is  obvious  using  the  characterization  of  prime-continuity  and  stability  by  lub  and  meet 
preservation  properties.  We  show  Trace(g  o  f)  C  Trace(g)  o  Trace(f),  without  using 
stability.  Let  (r,r”)  GTrace(g  o  f).  By  prime-continuity,  there  exists  r’  such  that  r’sf(r) 
and  (r’,r”)  G  Trace(g).  We  show  (r,r’)  G  Trace(f).  If  r’sf(r0)  for  some  r0<r,  then  r”  s 
g(r’)  <;  g(f(rQ)),  contradicting  (r,r”)  G  Trace(g  o  f).  Finally,  we  show  Trace(g)  o 
Trace(f)  CTrace(g  o  f),  making  use  of  the  stability  of  g.  Let  (r,r’)  G  Trace(f)  and 
(r’,r”)  E  Trace(g).  Since  r'^f(r)  and  r”sg(r’),  we  have  r”^g(f(r)).  Assume 
r”sg(f(r0))  for  some  r0<r,  and  let  r’0  be  such  that  r’oSf(r0)  and  (r’0,r”)  G  Trace(g). 
Then  r’0tr’  implies  r’0=r’.  But  then  r’=r'Qsf(r0)  contradicts  (r,r’)  GTrace(f).  □ 


We  now  formulate  our  symmetric  definition  of  affine  sequential  algorithm.  It  relies 
on  a  notation  which  is  similar  to  the  notation  M(f>x,x'). 

Notation  ( M(f,x,a  ’)) 

Let  M  and  M’  be  sds’s,  and  let  f  be  a  continuous  function  from  D(M)  to  D(M’).  If 
xED(M),  a’ED-^M’),  and  f(x)<a\  then  we  denote  by  M(f,x,a’)  the  minimum  ysx, 
if  it  exists,  such  that  f(y)<a’. 

This  notation  coincides  with  the  notation  M(f,x,r’)  when  a’«q’  and  r’»q’d’€Ef(x). 
(This  is  proved  thanks  to  statement  (3)  of  Lemma  <-F.) 

Definition  (Symmetric  algorithm) 

Let  M  ■  (A,D,P)  and  M’  ■  (A’,D’,P’)  be  two  sds’s.  A  symmetric  algorithm  from  M  to 
M’  is  a  pair  (f:  D(M)-*D(M’) ,  g:  D-KM’H-D^M))  of  a  function  and  a  partial  function 
that  are  both  continuous  and  satisfy  the  following  axioms: 

(L)  xED(M)  a  a’ED-L°(M’)  a  f(x)«a’  =*  x<g(a’>  a  (M(f,x,a’)  =  x<>lg(a’)) 
(R)  a’QD-HM’)  a  xED°(M)  a  x>g(a’)  =>  f(x)>a’  a  (M(g,a’,x)  =  f(x)Pa’) 

We  set  as  a  convention  that  for  any  x,  and  any  a’  such  that  g(a’)  is  undefined: 

x<g(a’)  and  x<lg(a’)  =  0 

To  see  that  this  convention  is  natural,  recall  that  in  a  Lamarchian  sds,  every  path  starts 
with  the  initial  .  move.  When  g(a’)  is  undefined,  this  initial  move  is  the  final  move  of 
the  interplay,  and  thus  x  wins.  With  this  convention,  the  conclusion  of  (L)  is  simply 
M(f,x,a’)  =  0  when  g(a’)  is  undefined.  In  contrast,  when  we  write  x>g(a’)  as  in 
(R),  we  assume  that  g(a’)  is  defined. 

The  collection  of  symmetric  algorithms  is  ordered  componentwise  by  the  pointwise 
ordering: 

(fpgl)  <:  (f2,g2)  iff  Vx  fj(x)sf2(x)  and  Va  gj(a)^g2(a)  (if  gj(a)  is  defined)  O 

These  axioms  enable  us,  knowing  f  and  g,  to  reconstruct  the  traces  of  f  and  g. 
Definition  Symmetric  algorithm  is  strikingly  compact  with  respect  to  the  definition  of 
abstract  algorithm  found  in  [BeCul,  CuMon]  (see  also  BuEhr])  and  reformulated  in 
Section  5.  It  implies  that  the  two  functions  f  and  g  are  prime-continuous  and  sequential. 
Moreover,  g  allows  to  compute  the  sequentiality  indices  of  f,  and  f  allows  to  compute 
the  sequentiality  indices  of  g. 


Proposition  (Symmetry  and  sequentiality) 

Let  f  and  g  be  as  in  the  previous  definition.  Then  f  and  g  are  prime-continuous  and 
sequential,  and  they  satisfy  the  following  two  axioms: 

(LS)  If  xED(M),  a’ED-^M’),  f(x)>a’  and  if  f(y)<a’  for  some  y>x,  then 
x>g(a’)  and  xPgCa’)  is  a  sequentiality  index  of  f  at  (x,a’). 

(RS)  If  a’ED-KM’),  xED”(M),  x<g(a’)  and  if  x>g(p’)  for  some  P’>a’,  then 
f(x)<a’  and  f(x)^a’  is  a  sequentiality  index  of  g  at  (a’,x). 

Proof:  The  prime-continuity  of  f  follows  from  Axiom  (L),  since  this  axiom  implies  that 
any  element  M(f,x,a’)  is  a  prime  element.  Precisely,  suppose  q’d’Ef(x).  Then 
f(x)<q’.  By  (L),  x<g(q’)  and  f(r)<q\  where  r  ■  x^lgCq’).  Let  q^d’]  ■  ffr^lq’,  and 
suppose  q’i<q’.  On  one  hand  q’jd’j  E  A(q’)  implies  q’jd’ jjtq’.  On  the  other  hand, 
since  q’ jd^Eftr)  and  rsx,  we  have  q’jd’j  E  f(x),  and  q’d’,  q’id’jEf(x)  imply 
q’ld’j^q’:  contradiction.  Hence  q’i*q\  and  moreover  d’]«d’  since  q’d’,  q’d’jEf(x). 
We  have  proved  fM^q’  =  q’d’,  and  a  fortiori  q’d’Ef(r). 

We  now  prove  that  Axiom  (L)  implies  property  (LS)  (which  itself  implies  the 
sequentiality  of  f).  Suppose  xED(M),  a’EDi‘(M’),  f(x)l>a’,  and  f(y)<a’  for  some 
y>x.  Let  rj  ■  y<lg(a’).  By  (L),  we  have  f(rj)<a’,  which  implies  r,£x  since  f(x)>a’. 
Let  r  be  the  largest  response  prefix  of  r,  contained  in  x,  and  let  ra  be  such  that  racr,  .We 
claim: 

xlg(a’)  =  ra 

From  rt  E  A(g(a’))  and  ra<rj,  we  get  ra  E  g(a’).  We  have  rEx  by  construction,  thus 
ra  is  enabled  in  x.  If  ra  is  filled  in  x,  it  must  be  filled  with  the  same  datum  d  in  x  and  rf , 
contradicting  the  maximality  of  r.  Hence  ra  E  g(a’)DA(x),  which  proves  the  claim. 
The  proof  of  (LS)  is  completed  by  observing  that  racrj,  rjSy  imply  raEF(y).  □ 

Thus  the  two  components  f  and  g  of  a  symmetric  algorithm  (f,g)  are  sequential  and 
prime-continuous.  A  fortiori,  they  are  stable,  hence,  affine,  which  entails  that  they  are 
actually  strongly  sequential.  Strong  sequentiality  means  that  at  every  (x,q’\  there  is  at 
most  one  sequentiality  index)  (cf.  [CuMon,  Exercise  2.4.11.3  (second  edition)])6. 
One  can  show  that  any  affine  function  f  is  the  first  component  of  some  affine  algorithm 
(f,g)  (a  similar  theorem  is  shown  in  [CuMon,  Proposition  2.5.6)). 

A  familiar  feature  of  stability  is  not  apparent  in  Definition  Symmetric  algorithm:  the 
order  is  not  defined  as  Berry’s  stable  ordering.  But  the  stable  ordering  is  a  derived 
property.  We  recall  a  definition  of  the  stable  ordering.  Let  f1(f2  E  D(M)— »D(M’).  We 
write: 

fj  2Ssf2  when  Vx  Vysx  f,(y)  =  f2(y)Afj(x) 

^Conversely,  there  are  strongly  sequential  functions  that  are  not  affine:  left_or  is  an  example. 
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Proposition  ( Stable  ordering) 

If  (f^gj)  s  (f^.go)  (cf.  Definition  Symmetric  algorithm),  then  fj  f2  and  gj  ss  g2. 

Proof:  We  only  prove  fj  £sf,,  the  proof  being  symmetrical  for  gj  and  g2.  Consider  x 
and  ysx,  and  assume  q’d’  E  f,(y)Afj(x).  Suppose  q’d’  §:  fj(y).  We  can  take  q’d’ 
minimal  with  this  property,  thus  we  can  assume  q’  6A(f,(y»,  which  implies  fj(y)>q’ 
by  Lemma  <-F.  Since  in  an  sds  domain  the  gibs  of  compatible  elements  are  set 
intersections,  we  have  q’d’  E  f2(y)and  q’d’  E  f^x).  By  (LS)  applied  to  (f  j.gj),  we 
have:  y>gj(q’)>  and  rja  ■  y^gifq’)  is  a  sequentiality  index  of  fj  at  (y,q’).  Since  gj 
g-y  (where  ^denotes  the  pointwise  ordering),  we  have  ^a  E  g2(q’).  Hence  by  (R) 
applied  to  (f2,g2)  we  get  f2(rj)>q\  By  (LS)  applied  to  (f2,g2),  r,>g2(q’)  and 
rjl>go(q’)  ‘s  a  sequentiality  index  of  f>  at  (rltq’).  Since  ^a  E  g->(q’),  we  have 
rll>g2(q’)  =  I-!®.  Now: 

-  by  sequentiality  f,(y)<Jq’  implies  y<r,a; 

-  by  definition  of  ^a,  rfa  E  A(y),  hence  yt>rja  by  Lemma  <-F. 

This  contradiction  proves  q’d’  E fj(y),  and  fj  Sj f2-  □ 

We  have  to  show  the  equivalence  between  the  concrete  and  the  denotational 
presentations  of  our  morphisms. 

Definition  ( From  concrete  to  symmetric) 

Let  M  and  M’  be  two  sds’s.  Given  an  affine  sequential  algorithm  E  D(M-°M’),  we 
define  a  symmetric  algorithm  (f,g)  as  follows: 

-  f(x)  =  {r’l  r’=sf  M’  and  sf  M  E  x,  for  some  s  E  <t>}, 

-  g(a’)  =  {ql  q=sfM  and  sf  M’  E  a’  for  some  s  E  <j>}. 

By  convention,  if  for  some  a’  the  right-hand  side  of  the  definition  of  g  is  empty,  we 
interpret  this  definitional  equality  as  saying  that  g(a’)  is  undefined.  O 

The  traces  of  f  and  g  have  an  easy  characterization,  as  the  following  lemma  shows. 
Lemma  (Trace) 

Let  (f,g)  be  constructed  from  an  affine  sequential  algorithm  as  above.  Then: 

-  Trace(f)  =  {(r,r’)l  r=sfM  and  r’=sfM’,  for  some  s  E  ((>}, 

-  Trace(g)  =  {(q’,q)l  q’=sfM’  and  q=sfM,  for  some  s  E  4>}. 

Proof:  If  r=sfM  and  q’d’«r’=stM’,  for  some  s  E  <(>,  then  a  fortiori  sf  M  s  r,  thus  r’ E 
f(r).  Suppose  that  r’  E  f(rj)  for  some  rj<r.  Let  Si  E  <j>  be  such  that  r’=sjfM’  and  Sjf  M 
s  rj.  Thus  (sjM.SifM’)  <  (sf  M,sf  M’),  which  by  Lemma  Injectivity  implies  sj<s. 
But  by  the  definition  of  M-°M\  r’=sf  M’  implies  that  s  ends  with  d’,  and  hence  sj  f  M’ 
<  sfM’,  contradicting  r’=SifM’.  Thus  (r,r’)  E  Trace(f).  Reciprocally,  if  (r,r’)  E 


Trace(f),  then  let  s  Ea  be  such  that  r’=sfM’  and  sfM  £  r.  Then,  by  minimality  of  r,  we 
must  have  sfM  =  r.  The  proof  of  the  second  equality  is  similar.  □ 

The  definition  of  the  function  f  computed  by  $  is  so  compact  that  it  may  hide  the 
underlying  operational  semantics.  The  application  of  ^  to  a  strategy  x  of  M  involves  an 
interplay  between  <|>  and  x  that  is  very  similar  to  the  situation  described  in  Proposition 
Play.  We  have  already  suggested  pictorially  that  an  affine  sequential  algorithm 
“contains”  input  counter-strategies.  Figure  12,  taken  from  [CuMon  (second  edition)], 
illustrates  the  interplay  between  $  and  x.  In  this  figure,  the  bold  oriented  path  represents 
the  flow  of  control.  The  relation  with  Figures  4,  5,  and  7  is  as  follows:  the 
counterstrategy  “valof  a ...”  is  matched  against  x,  resulting  in  the  path  ad, be. 

This  is  reminiscent  of  Girard’s  geometry  of  interaction.  We  refer  to  [AJ1,  AJ2, 
Lam2]  for  some  more  precise  connections. 


Figure  12:  Application 
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Conversely,  given  a  symmetric  algorithm  (f,g),  we  construct  a  strategy  4  of  M-°M’ 
inductively,  as  suggested  by  Figure  13.  The  construction  of  a  path  of  is  carried  out  as 
an  experiment.  The  experimenter  is  free  to  give  addresses  of  M-°M\  and  the 
specification  (f,g)  provides  corresponding  data.  At  the  beginning,  the  experimenter 
gives  an  a’j.  If  a’]  is  filled  in  f(0),  the  next  datum  on  the  experimentation  path  is  an 
“output”  instruction.  If  g(a’j)  contains  some  path  a  of  length  1,  the  next  datum  is  a 
“valof’  instruction.  The  axioms  of  symmetric  algorithms  guarantee  that  these  two 
situations  are  exclusive.  Indeed,  if  a’j  is  filled  in  f(0),  then  f(0)<a’ j,  which  by  (L) 
implies  0<g(a’,),  and  if  g(a’ j)  contains  a  path  of  length  1,  then  0>g(a’,).  It  is  easy  to 
see  that  this  argument  applies  all  along  the  path  constructed  in  Figure  13.  More 
precisely: 

-  An  “output”  instruction  is  indicated  by  f  until  an  address  a’  is  placed  by  the 
experimenter  for  which  g  indicates  a  “valof’  instruction.  Then  the  next  address 
placed  by  the  experimenter  must  be  a  dj  (cf.  the  definition  of  affine  sequential 
algorithm). 

-  The  function  g  keeps  the  hand  on  the  shown  path  until  an  address  d  is  placed  by 
the  experimenter  for  which  f  indicates  an  “output”  instruction. 

The  argument  to  which  the  function  f  or  g  is  applied  at  each  stage  is  the  projection  of 
the  path  constructed  so  far  on  the  appropriate  sds  (M  for  f,  M’  for  g).  It  is  easily  seen 
by  construction  that,  collecting  together  all  these  experimentation  paths,  we  obtain  a 
strategy  of  M-°M’ . 

The  following  definition  formalizes  the  construction. 

Definition  (From  symmetric  to  concrete) 

Let  M  and  M’  be  two  sds’s.  Given  a  symmetric  algorithm  (f,g)  from  M  to  M\  we 
construct  an  affine  algorithm  <|>  £  D(M-°M’)  as  follows.  We  build  the  paths  s  of  <j>  by 
induction  on  the  length  of  s: 

-  if  s ©fr,  if  sfM  and  sfM’  are  responses,  and  if  q’  =  (sfM’)a’  for  some  a’,  then 

sa’a£<|>  if  (sfM)a  £  g(q’) 
sa’d’£<j>  if  q’d’ E  f(sfM) 

-  if  s£<|>,  if  sfM  and  sfM’  are  queries,  and  if  r  =  (sfM)d  for  some  d,  then 

sda  f=  <j>  if  ra  £  g(q’) 
sdd’  £  4>  if  q’d’  £  f(r)  O 


w 

I 
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a’  1 

I 

d’,  (a'jd'j  Gf(0)) 


d'„  (a'jd'j-.a'ud',,  =  r'  Ef(0)) 

I 

a' 


aj  (aj  G  g(r'a')) 


*n  (a,...dn-lan  =  ‘le8(r’a')) 


I 

d’  (r'a'd'  Gf(qd„) 


Figure  13:  From  symmetric  to  concrete 

This  construction  defines  an  inverse  to  the  map  s  ►-*  (sfM,sfM’)  considered  in 
Lemma  Injectivity. 

The  above  transformations  are  inverse  order-isomorphisms. 

Theorem  (Symmetric/affine) 

Given  M  and  M\  the  above  transformations  define  order-isomorphisms  between 
D(M-oM’),  ordered  by  inclusion,  and  the  set  of  symmetric  algorithms  from  M  to  M\ 
ordered  pointwise  componentwise. 

Proof:  We  limit  ourselves  to  check  that  (f,g)  constructed  as  in  Definition  From 
concrete  to  symmetric  from  an  affine  algorithm  <{>  satisfies  (L).  If  xED(M), 
a’ED-^M’)  and  f(x)<a\  let  q’d’  ■  fW^la’,  and  let  sE<|>  be  such  that  q’d’  =  sf  M’ 
and  sfMEx.  Then  s  ends  with  d’.  We  claim: 


(i)  sf  M  =  M(f,x,a’) 
(il)  sf  M  =  x<lg(a’) 


A 


We  first  prove  (ii).  Since  sfMEx,  we  are  .At  to  show  sfMEA(g(a’)).  Since  q'd'  ■ 
fix^kx',  we  have  q’d’  GA(a’),  hence  q’Ea’.  We  first  show  that  sfM  is  enabled  in 
g(a’).  Let  sfM  -  qd,  and  let  Sj  be  the  least  prefix  of  s  such  that  sf  f M  =  q.  We  claim: 

SjfM’  E  a’ 

By  the  definition  of  sj,  and  since  s  ends  with  d’,  sj  is  a  strict  prefix  of  s  and  SjfM’  < 
sfM’.  Hence  SjfM’  sq’,  which  implies  the  claim.  Since  SjfM  =  q,  the  claim  implies 
q€g(a’)  by  definition  of  g,  and  that  sfM  is  enabled  in  gia’).  Suppose  now  that  sfM  is 
filled  in  g(a’).  Then  there  exist  a  and  sjEtf)  such  that  (sfM)a  =  Sof  M  and  SofM’Ea’. 
By  Lemma  Aa,  we  can  apply  Lemma  Injectivity  (part  3)  to  s  and  so.  Thus  s  and  S2 
are  comparable.  But  since  (sfM)a  =  SifM  we  cannot  have  s2ss,  and  since  s2fM’  e  a’ 
and  sfM’  E  A(a’)  we  cannot  have  s^:  contradiction.  This  completes  the  proof  of  (ii). 

We  now  prove  (i).  By  definition  of  f,  we  have  sfM’  E  f(sfM),  hence  f(sfM)<a’. 
Suppose  now  that  ysx  and  f(y)<a’.  By  Lemma  x<a,  fiy^la’  =  fix^la’,  thus  q'd' 
E  f(y).  Let  s3£<t»  be  such  that  q’d’  =  S3 f  M’  and  s3  f  M  E  y.  By  Lemma  Injectivity  (part 
2),  s  and  s3  are  comparable.  Since  s  ends  with  d’  and  since  SjfM’  =  sfM’,  s3  cannot 
be  a  proper  prefix  of  s.  Thus  sss3>  and  this  entails  sfM  E  y  since  sfM  s  s3fM  and 
s$  fM  E  y.  This  completes  the  proof  of  (i).  □ 

4.  A  symmetric  monoidal  closed  category 

We  now  turn  sequential  data  structures  and  symmetric  algorithms  into  a  category  by 
adding  a  notion  of  composition.  The  formulation  of  the  morphisms  as  symmetric 
algorithms  allows  us  to  define  composition  in  a  straightforward  way. 

Definition  (Denotational  composition) 

Let  M,  M’  and  M”  be  sds’s,  and  let  (f,g)  and  (f’,g’)  be  symmetric  algorithms  from  M 
to  M’  and  from  M’  to  M”.  We  define  their  composition  (f”,g”)  from  M  to  M”  as 
follows: 

-f”  =  f’ of  and  g”  =  g»g’. 

Proposition  (Denotational  composition  is  well-defined) 

The  pair  (fi\ g”)  in  Definition  Denotational  composition  indeed  defines  a  symmetric 
algorithm. 

Proof:  We  only  check  Axiom  (L).  Suppose  f’(f(x))<a”.  By  (L)  applied  to  (f\g’>,  we 
have  f(x)«g’(a”)  and  M(f’,f(x),a”)  =  f(x)«lg’(a”).  Since  f(x)<g’(a”),  by  (L) 
applied  to  (f,g),  we  get  x<g(g’(a”))  and  M(f,x,g’(a”))  =  x<lg(g’(a”)).  We  have  to 
prove  M(fof,x,a”)  =  x<lg(g’(a”)).  We  set  r  ■  x^gfgTa”)).  Since  M(f,x,g’(a”))  = 
r,  we  have  f(r)<g’(a”).  We  claim: 

f’(f(r))«x” 

Suppose  the  contrary,  that  is,  f’(f(r))>a”.  Then,  by  (LS)  applied  to  (f’,g’)  at 
(fir), a”),  we  have  f(r)>g’(a”),  which  contradicts  our  previous  deduction  that 
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f(r)<3g’(ct”).  Hence  the  claim  holds.  We  are  left  to  prove  that  any  ysx  such  that 
f  (f(y)Xa  is  such  that  ysr.  Since  M(f,x,g’(a”))  =  r,  this  second  claim  can  be 
rephrased  as: 

f(y)<g’(o”) 

We  set  r’  ■  f(x)4lg’(a”).  Since  f(y)^f(x)  and  since  M(f\f(x),a”)  =  r\  we  have 
rXf(y).  But  r’<g’(a”)  by  definition  of  r1  and  by  property  (1)  of  Lemma  x<a,  and  the 
second  claim  follows  by  property  (2)  of  Lemma  x<cl  □ 

Definition  (AFFALGO) 

The  category  AFFALGO^  (AFFALGO  for  short)  is  defined  as  follows.  Its 
objects  are  the  sequential  data  stuctures  and  its  morphisms  are  the  affine  sequential 
algorithms.  If  a  G  D(A-°A’)  and  a’  G  D(A’-°A”),  if  (f,g)  and  (f  g’)  are  the  symmetric 
algorithms  associated  with  <j>  and  <j>\  respectively,  then  o  $  is  the  affine  sequential 
algorithm  <|>”  associated  with  (f  of,  gog’).  The  identity  morphisms  are  those  associated 
with  the  pairs  (id,id).  O 

Less  formally,  we  shall  indifferently  look  at  morphisms  as  affine  sequential 
algorithms  or  as  symmetric  algorithms. 

A  closely  related  way  of  looking  at  the  composition  of  affine  algorithms,  which  is 
adopted  in  [Laml],  is  to  define  the  composition  of  algorithms  as  a  relation  composition. 

Proposition  (Relation  composition ) 

(f  g)  be  a  symmetric  algorithm.  We  define  Trace(f,g)  as  follows: 

-  Trace(f,g)  =  Trace(f)  U  {(q,q’)l  (q’,q)GTrace(g)}. 

The  following  holds  for  any  (f,g)  and  (f’,g’)  as  in  Definition  Denotational 
composition: 

-  Trace((f,g’)  o  (f,g))  =  Trace(f  ,g’)  o  Trace(f,g) 

Proof:  Immediate  consequence  of  Lemma  Trace  composition,  □ 


Abramsky  and  Jagadeesan  give  a  different  definition  of  composition,  which  is 
operational  in  flavour.  This  definition  requires  a  notation. 

Notation 

Ut  M  -  (AJD.P),  M’  -  (A\D\P’)  and  M”  -  (A”,D”,P”)  be  three  sds’s.  We  let 
4M,M’,M”)  denote  the  set  of  words  in  <(AUD)U(A’UD’)U(A”UD”))*  such  that  two 
consecutive  symbols  are  not  such  that  one  is  in  AUD  and  the  other  is  in  A”UD”. 
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Proposition  (Hiding) 

Let  <j>  G  D(M-°M’),  <j>’  G  D(M’-°M”).  Then: 


t 


o  <p  =  (sfMUM”l  s  G  4M,M’,M”),  sfMUM’  G  $  and  sfM’UM”  G  f} 

Proof :  We  refer  to  [AJ2]  for  a  proof  that  the  right-hand  side  defines  a  strategy  of  M-® 
M”.  Then  it  is  enough  to  check: 

{(sfM,sfM”)l  s  G  Z(M,M’,M”),  sfMUM’  G  $  and  sfM’UM”  G  $’}  = 

{(p,p”)l  p  =  sjf  M,  Sjf  M’  =  Sof  M’  and  p”  =  sof  M”  for  some  SjG$,  s2G<|»’} 

Obviously,  the  left-hand  side  is  included  in  the  right-hand  side,  taking  Sj  =  sfMUM’ 
and  s2  =  sfM’UM”.  For  the  other  direction  we  construct  s  from  S)  and  so  by  replacing 
every  a’d’  in  so  by  the  corresponding  portion  a’aid]  ...  andnd’  of  Sj.  It  is  clear  by 
construction  that  s  G  .£(M,M’,M”).  □ 

This  alternative  definition  of  composition  is  convenient  to  establish  the  symmetric 
monoidal  structure  of  the  category  AFFALGO.  It  is  closely  related  to  the  operational 
semantics  of  composition  in  the  language  CDSO  [CuMon,  Definition  3.5.5]. 

The  definition  of  tensor  product  is  “dictated”  by  the  equation  A®B  =  (A-oB-1-)-1,  as 
suggested  at  the  end  of  Section  3. 

Definition  (Tensor  product) 

Let  M  ■  (A,D,P)  and  M’  ■  (A’,D’,P’)  be  two  sds’s.  We  define  the  sds  M®M’  - 
(A”,D”,P”)  as  follows: 

-  A”  is  the  disjoint  union  of  A  and  A’, 

-  D”  is  the  disjoint  union  of  D  and  D\ 

-  P”  consists  of  the  alternating  non-e  paths  which  are  such  that 

-(sfM  =  e  orsfMGP)  and  (sfM’  =  e  or  sfM’GP’) 

-  P”  contains  no  path  of  the  form  sad’.  O 

As  for  Definition  Affine  exponent  sds,  the  second  constraint  implies  that  P” 
contains  no  path  of  the  form  sa’d. 

In  order  to  define  a  symmetric  monoidal  structure,  we  need  to  turn  ®  into  a  functor. 
We  follow  [AJ2]. 

Definition  (Tensor  product  continued) 

Let  Mj,  M2,  M’j  and  M’2  be  four  sds’s,  and  let  <f»j  G  D(Mi-°M’|)  and  ((h  G  D(M2-° 
M’2).  We  define  <pi®<j>2  *=  D((M1®M2)-°(M’i®M’2))  as  follows.  It  consists  of  the 
paths  of  Mi®M2-°M’i®M’2  whose  projections  on  MjUM’]  and  on  M2UM’2  are  in  aj 
and  in  a^,  respectively.  O 


Proposition  ( Tensor  product  functor) 

The  above  definitions  indeed  define  a  functor  which,  together  with  the  empty  sds 
(0,0,0)  as  unit,  makes  AFFALGO  a  symmetric  monoidai  category. 

Proof:  We  check  the  preservation  of  composition.  Let  E  D(M]— °M’  j),  ({h  E 
D(M2-°M’2),  <)>’,  E  D(M’j-oM”i)  and  <j>’2  eDfMVM'S).  An  element  of  (<p’ jtgXpS) 
o  has  the  form  sfMiUM2UM”jUM”2,  where 

sfMiUMjUM’jUMS  E  and  stM^UMSUM’^UM’SE 

which  is  the  same  as 

sfMiUM’j  E  <h,  sfM2UM’2  E  fe,  stM^UM”,  E  <j>’,  and  sfM’2UM”2  E  f  2 
Hence 

sfM[UM”i  E  o(|)[  and  sf M2UM”2  E  <J>’2  o  <p^ 

and  thus  sf MjUMoUM’ ’ ,UM”2  E  ($’  j  o <|>i)®(<j>’2 ° $>)• 

The  symmetric  monoidai  structure  is  obvious  and  strict,  with  the  convention  that 
disjoint  unions  are  ordinary  unions.  A  more  standard  treatment  (as  adopted  in  [CCF]) 
consists  in  building  such  unions  with  the  help  of  tags  1  and  2  for  the  left  and  right 
components.  In  this  case,  coherent  isomorphisms  arise:  for  example  (x,l)  in  XU(YUZ) 
corresponds  to  ((x,l),I)  in  (XUY)UZ.  O 

Proposition  (Monoidai  closed) 

The  category  AFFALGO  is  symmetric  monoidai  closed. 

Proof:  With  our  convention  about  disjoint  unions,  DfiMSM’j-oM”)  and  D(M-°(M’-° 
M”))  coincide.  Our  convention  stands  in  the  way  to  give  a  rigorous  justification  of  the 
naturality  condition.  Loosely,  given  <j>  ED(Mj-«M),  in  order  to  turn  a  path  s  whose 
projection  on  MjUfM’-oM”)  is  in  a  composition  Mj-*M-»(M’-°M”)  into  a  path 
whose  projection  on  (Mi®M’)UM”  is  in  the  corresponding  composition 
(M1®M’)“k(M®M’)— »M”,  we  replace  every  M’  portion  a’d’  of  s  by  a’a’d’d’  (cf.  the 
description  of  the  copy-cat  strategy).  □ 

The  category  AFFALGO  is  also  cartesian.  It  is  easily  checked  that  the  empty  sds 
(0,0,0)  is  a  terminal  object,  and  that  the  following  data  yield  binary  products. 

Definition  (Product) 

Let  M  ■(A.D.P)  and  M’  «(A\D’,P’)  be  two  sds’s.  We  define  the  sds  MxM’  ■ 
(A”,D”,P”)  as  follows: 

-  A”  is  the  disjoint  union  of  A  and  A’, 

-  D”  is  the  disjoint  union  of  D  and  D\ 

-  P”  is  the  disjoint  union  of  P  and  P\ 
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It  is  easily  seen  that  D(MxM’)  is  the  set-theoretical  product  of  D(M)  and  D(M’),  and 
that  D-KMxM’)  is  the  disjoint  union  of  D^fM)  and  D-L(M’).  The  projections  and 
pairing  functions  are  as  follows: 

-  (Fstjnl),  where  Fst  is  the  set-theoretical  first  projection  and  Ini  is  the  set- 
theoretical  injection  from  D-KM)  into  D^fMxM’), 

-  (Snd,Inr)  (similarly), 

-  if  (f,g)  E  D(M-°M’)  and  (f  ,g’)  E  then  <(f,g),(f,g>  is  defined  as 

(<f,f’>,[g,g’]),  where  <  ,  >  and  [  ,  ]  denote  the  set-theoretical  pairing  and 
copairing.  O 

In  AFFALGO,  the  empty  sds  (0,0,0)  is  both  the  unit  of  the  tensor  and  a 
terminal  object.  It  is  this  property  which  makes  AFFALGO  a  model  of  affine  logic. 
Indeed,  the  equations 

tensor  unit  -  1  =  T  ■  terminal  object 

allow  us  to  construct  projections  from  the  tensor  product  to  its  components,  as  follows: 
A®B  -*  A®t  -*  A 

Moreover,  the  assumption  that  the  terminal  object  is  a  multiplicative  unit  corresponds  to 
the  following  proof  transformations: 

-  naturality:  for  example,  the  proof  (hr, A  and  hA,Ax  implies  hr  A  implies 
hr,A,B)  by  cut  and  weakening  is  equivalent  to  the  proof  obtained  by  first 
weakening  hr  ,A  into  HT,A,B,  and  then  applying  cut; 

-  the  logical  inference  rule  (hr  implies  hr,l)  for  1  (the  negation  of  1)  is  an 
instance  of  weakening; 

-  if  n  is  a  proof  of  hr,0  (O  is  the  negation  of  t),  then  II  is  equivalent  to  the  proof 
obtained  by  first  cutting  n  with  hT,±  (an  instance  of  the  axiom  hT,r  for  t),  then 
cutting  with  hi  (the  axiom  for  1),  and  finally  weakening  (the  successive 
conclusions  are  hr,l,  hr,  and  hr,0). 

5.  Sequential  algorithms 

In  order  to  obtain  a  model  of  X-calculus,  we  must  construct  a  comonad  accounting  for 
the  possible  “duplication”  of  arguments.  We  have  already  suggested  a  meaning  for  the 
“unit  of  consumption”  of  inputs  considered  as  resources.  It  appears  most  convenient  in 
our  setting  to  define  this  comonad  via  an  adjunction.  We  construct  a  left  adjoint  to  the 
inclusion  functor  of  the  category  AFFALGO  into  the  category  ALGO  of  Berry- 
Curien’s  sequential  algorithms  [BeCul,  CuMon],  To  this  aim,  we  give  yet  another 
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equivalent  characterization  of  the  morphisms  of  AFFALGO. 

Definition  (Affine  abstract  algorithms) 

Let  M  ■  (A,D,P)  and  M’  •  (A’,D’,P’)  be  two  sds’s.  Recall  that  D°(M)  denotes  the  set 
of  finite  strategies  of  M.  An  affine  abstract  algorithm  x  from  M  to  M’  is  a  partial 
function  from  D“(M)xQ’  to  QUR’  which  satisfies  the  following  axioms: 

(Ai)  x(x><T)  =  q  =*■  q  £  A(x) 

X(x,q’)  =  r’  =>  r’  =  q’d’  for  some  d’ 

(A2)  x(x.q’)  =  q.  q’^q’i.  x^y  and  q  <£  F(y)  =»  x(y.q’i)  =  q 

X(x,q’)  =  r’  and  x<sy  =>  x(y.q’)  =  r’ 

(A3)  X(x«q  )  defined,  y^x  and  q’jsq’  =>  xiy.q’i)  defined 

(AFF)  x(x,q’)  defined  =>  x(x«q’)  =  X(r*q’)  f°r  “me  i€x 

The  composition  of  two  affine  abstract  algorithms  is  defined  as  follows.  Let  x  be  as 
above,  and  let  x‘  be  an  affine  abstract  algorithm  from  M’  to  an  sds  M”.  Then  the 
composition  x”  of  xand  x’  is  defined  by: 

-  x'  (x.q”)  =  q”d”  if  x‘((x-xXq”)  =  q”d” 

-  X°(x,q”)  =  q  if  x‘((:'-x).q”)  =  q’  and  x(x.q’)  =  q 

where  x-X  «  {q’d’l  x(x,q’)  =  q’d’}.  O 

We  leave  to  the  reader  the  abstract  definition  of  the  identity  algorithm.  The  next 
proposition  states  that  affine  abstract  algorithms  are  the  same  objects  as  symmetric 
algorithms. 


Proposition  (Symmetric/abstract) 

There  are  order-isomorphisms  between  the  sets  of  affine  abstract  algorithms  and  of 
symmetric  algorithms,  that  preserve  the  composition  of  algorithms. 

Proof:  We  construct  the  inverse  mappings  by  going  from  symmetric  algorithms  to 
affine  abstract  algorithms  ,  and  from  affine  abstract  algorithms  to  affine  algorithms.  To 
close  the  circle,  we  use  the  transformation  of  affine  algorithms  into  symmetric 
algorithms  justified  in  Theorem  (Symmetric/affine).  We  call  1,  2,  and  3  these 
transformations: 


strategy  <j> 


2 


abstract  x 
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Transformation  1:  Let  (f,g)  be  a  symmetric  algorithm.  We  build  a  function  x  as 
follows: 

-  x(x-q’)  =  q’d*  iff  q’d’  g  f(x), 

-  X(x-q’)  =  x^gfq’)  iff  x>g(q’). 

We  check  the  axioms  of  Definition  Affine  abstract  algorithms. 

(Al):  If  x(x,q’)=q,  then  by  definition  x  >  g(q')  and  q  b  x^gfq’)  G  A(x).  The  second 
.  part  of  (Al)  is  built-in  in  the  definition  of  x- 

(A2):  If  x(x,q’)  =  q,  q’sq’,,  x^y  and  q  £  F(y),  then  xlg(q’)  =  ylg(q’i),  hence 
X(y,q’i)  =  x(x,q’).  The  second  part  of  (A2)  is  obvious  by  the  monotonicity  of  f. 

(A3):  It  is  enough  to  prove  separately  that  if  x(x.q’)  is  defined  and  q’]d’i<q’,  then 
X(x,q’|)  is  defined,  and  that  if  x(x,q’)  is  defined  and  y<x,  then  x(y,q’)  's  defined.  We 
thus  concentrate  first  on  q’jd’i<q’.  If  q’d’  G  f(x),  then  a  fortiori  q’jd’]  G  fix),  hence 
X(x,q’j)  is  defined.  If  x>g(q’),  let  q’2  “  M(g,q’,x).  In  particular,  x>g(q’2).  We 
distinguish  two  cases: 

-  q’j  ^  q’2:  Then  x>g(q’t)  and  hence  x(x,q’i)  =  X(x,q’2)  =  X(x,q’)  is  defined. 

-  q’j  <  q’o:  By  (R)  we  have  q’o  =  fix^q’:  this  entails  q’jd’i  G  fix)  and  x(x,q’]) 

=  q’idV_ 

In  either  case,  x(x,q’i)  is  defined. 

Now  we  consider  y<x.  If  q’d’  G  fix),  then  f(x)<q’.  Let  r  =  M(f,x,q’).  We 
distinguish  two  cases: 

>  -  If  rsy,  then  f(y)<q’.  Since  f(y)<f(x)  implies  f(y)<lq’  =  fix^lq’  =  q’d’,  we  have 

q’d’  G  fiy):  hence  x(y>q  )  *s  defined. 

-  If  r^y,  then  f(y)>q’,  hence,  by  (LS),  y>g(q’),  and  x(y-q’)  's  defined. 

In  either  case,  x(y,q ’)  is  defined.  If  x>g(q’),  then,  by  property  (3)  of  Lemma  x<ta, 
y^x  implies  y>g(q’),  and  hence  xCy>q  )  is  defined.  This  completes  the  proof  of  (A3). 

(AFF):  If  X(x.q’)  =  ra,  then  ra  =  xlt>g(q’)  by  definition  of  x>  that  is,  ra  G  A(x)Ag(q’). 
Then  also  ra  G  A(r)Ag(q’),  hence  x(r>q  )  =  ra-  The  second  part  of  (AFF)  follows  from 
the  prime  continuity  of  f. 


Transformation  2:  We  construct  an  affine  algorithm  <j)  out  of  an  affine  abstract  algorithm 
X  from  M  to  M’.  We  build  the  paths  s  of  <j)  by  induction  on  the  length  of  s  (cf. 
Definition  From  symmetric  to  concrete): 
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-  if  sE<|>,  if  sfM  and  sfM’  are  responses,  and  if  q’  =  (sfM’)a’  for  some  a’  and 
X(sf  M,q’)  is  defined,  then 

sa’aE$  if  x(sfM,q’)  =  (sfM)a 
sa’d’Eip  ifx(sfM,q’)  =  q’d’ 

-  if  sE<j),  if  sfM  and  sfM’  are  queries,  and  if  r  =  (sfM)d  for  some  d  and 
X(r.sfM’)  is  defined,  then 

sda  E  if  x(r,sf  M’)  =  ra 
sdd’  E  ij)  if  x(r,sf  M’)  =  (sf  M’)d’ 

We  omit  the  verification  that  this  indeed  defines  an  affine  algorithm,  and  the  proof  that 
1  ;  2  ;  3  and  2  ;  3  ;  1  are  identity  transformations.  □ 

Berry-Curien’s  original  sequential  algorithms  are  obtained  by  withdrawing  (AFF). 

Definition  (Abstract  algorithms) 

Let  M  and  M’  be  as  in  Definition  Affine  abstract  algorithms.  An  abstract  algorithm  is  a 
partial  function  ip  from  D°(M)xQ’  to  QUR’  which  satisifes  the  axioms  (Al),  (A2)  and 
(A3).  The  composition  of  abstract  algorithms  is  defined  exactly  as  the  composition  of 
affine  abstract  algorithms. 

This  definition  is  mutatis  mutandis  the  one  appearing  in  [CuMon,  Definition 
2.5.4],  and  is  equivalent  to  it.  The  only  difference  lies  in  the  fact  that  in  [CuMon],we 
require  that  if  tp  is  defined  at  (x,q’),  then  q’  is  enabled  from  tp.x.  This  limitation  can  be 
removed  when  the  concrete  data  structures  are  sequential  (see  [CuMon,  Definition 
2.1.10,  and  (in  the  second  edition)  exercise  2.4.5. 1]),  as  it  is  the  case  for  sequential 
data  structures. 

Theorem  (CCC) 

The  category  ALGO^  ( 4LGO  for  short)  of  sequential  data  structures  and  (abstract) 
sequential  algorithms  is  cartesian  closed. 

Proof:  The  proof  can  be  found  in  [BeCul,  CuMon],  in  the  setting  of  concrete  data 
structures.  As  we  have  seen,  the  product  already  exists  in  the  subcategory  of  affine 
sequential  algorithms,  and  it  is  easily  verified  that  it  is  still  a  product  in  the  category  of 
sequential  algorithms.  The  exponent  M— *M’  is  most  readily  described,  not  as  an  sds, 
but  as  a  filiform  concrete  data  structure  (C”,V”,E”,I-),  defined  as  follows: 

-  C”  =  D*(M)xQ\ 

-  V”=QUR’, 

•  ((x.q’Xq)  EE”  iff  q  E  A(x), 

((x,q’),r’)  E  E”  iff  r’  ■  q’d’  for  some  d\ 

-  ((x,q’),q)  I-  (xj,q’)  iff  xi  =  xU{qd}  for  some  d, 

((x,q’),d’)  I-  (x,q’j)  iff  q’j  =  q’d’a’  for  some  a’. 


I 
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Notice  that  in  this  description  a  cell  (xj.q’i)  may  have  two  enablings:  a  “valof’ 
enabling  ((x,qj),q)  or  an  “output”  enabling  ((xj  ,q’),d’).  In  order  to  turn  this 
description  of  M-*M’  into  an  sds,  one  has  to  “split”  the  cell  (xi,q’i)  in  as  many  ways 
as  there  are  to  enable  it.  We  indicate  in  the  appendix  of  [CCF]  how  to  do  this.  Another 
less  direct  way  of  constructing  M-*M’  as  an  sds  is  to  rely  on  the  next  theorem,  and  to 
define  M— »M’  as  □ 

Our  presentation  makes  it  clear  that  the  category  of  sds’s  and  affine  algorithms  is 
included  in  the  category  of  sds’s  and  sequential  algorithms.  The  following  piece  of 
categorical  reasoning  then  tells  us  what  to  do. 

Proposition  (CoKleisli  and  inclusion) 

Let  C  and  C’  be  two  categories  having  the  same  class  of  objects,  and  such  that  for  each 
pair  of  objects  A  and  B,  the  homset  C(A,B)  is  included  in  C’(A,B).  If  the  inclusion 
functor  C:  C-»C’  has  a  left  adjoint !,  then  C’  is  isomorphic  to  the  CoKleisli  category 
associated  with  the  comonad  !  o  Q  C-*C  (!  for  short).  □ 

Hence,  in  order  to  define  a  model  of  intuitionistic  affine  logic,  we  only  have  to 
construct  a  left  adjoint !:  ALGO-*AFFALGO  to  the  inclusion  functor.  Another  piece 
of  categorical  folklore  tells  us  that  we  only  need  to  construct !  on  objects,  and  to  build 
appropriate  natural  bijections.  The  following  definition  agrees  with  that  given  in 
[Laml]. 

Definition  (Exponential) 

Let  M  be  an  sds.  We  define  !M  ■  (Q,R,Pi),  where  we  recall  that  Q  and  R  are  the  sets  of 
queries  and  responses  of  M,  and  where  Pi  is  the  collection  of  alternating  non-e  and 
non-repetitive  paths  a  over  QUR  which  satisfy  the  following  conditions: 

-  every  prefix  Ojr  of  o,  where  r  =  qjd  for  some  d,  is  such  that  Oj  ends  with  qj, 

-  every  prefix  Ojq  of  a,  where  q  =  rja  for  some  a,  is  such  that  some  prefix  of  Oj 
ends  with  rj. 

Such  paths  are  called  path  sequences.  O 

It  is  easily  seen  that  the  collection  of  response  prefixes  of  a  response  p  of  !M  forms 
a  finite  strategy  of  M.  Hence  the  prime  elements  of  the  domain  !M  represent  the  finite 
strategies  of  M.  This  is  reminiscent  of  the  coherent  semantics  of  linear  logic,  where  the 
tokens  of  the  exponential  !D  are  the  finite  cliques  of  D  [GirLin].  But  notice  here  that  the 
same  “clique”  x  gives  in  general  rise  to  as  many  “tokens”  of  the  exponential  as  there  are 
ways  to  sequentialize  x. 
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Notation 

Given  a  response  p  of  !M,  we  denote  by  Itptl  the  collection  of  response  prefixes  of  p. 
Theorem  ( Adjunction ) 

Let  M  and  M’  be  two  sds’s.  There  is  an  order-isomorphism  £m,M’  between  the  set  of 
abstrac'  algorithms  from  M  to  M’  and  the  collection  of  affine  abstract  algorithms  from 
!M  to  M\  This  bijection  is  natural  in  M\  that  is,  for  any  abstract  algorithm  M-*M\ 
and  for  any  affine  abstract  algorithm  tp:  we  have: 

Thus  !  and  the  collection  of  bijections  ^  define  a  left  adjoint  to  the  inclusion 
functor. 

Proof:  We  only  provide  the  definitions  of  the  inverse  mappings.  Let  ip  be  an  abstract 
algorithm  from  M  to  M’.  We  construct  an  affine  abstract  algorithm  x  as  follows: 

-  xfpqr.q’)  can  be  defined  only  if  x(p,q’)  is  defined: 
if  x(p.q’)  =  r\  then  x(pqr.q’)  =  r\ 

if  x(p.q’)  =  qi  *  q> then  xfpqr.q’)  =  qi. 

if  x(p.q’)  =  q.  then  x(Pqr.q’)  =  <Kilpqrll,q’). 

We  set  £(ip)  «  x-  Conversely,  let  x  be  an  affine  abstract  algorithm  from  !M  to  M’.  We 
construct  an  abstract  algorithm  ip  as  follows.  We  need  to  keep  track  of  the  order  of 
exploration  of  the  input:  ip(x,q’)  is  defined  when  we  can  successfully  build  a  path 

qiri-qn  or  qiri-qnrn 

of  !M  such  that 


X(0,q’>  =  qt,  rj  -  q,d2  G  x,...,  =  q^l-An  and 

qnGA(x)  or 

fn  -  qndn  e  x  and  x(qiri-qnrn>q’)  =  r’ 
and  we  set  ip(x,q’)  =  q„  or  ipfx.q’)  =  r’  in  the  respective  cases.  □ 

Still  by  categorical  reasoning,  the  conjunction  of  Theorem  CCC  and  of  Theorem 
Adjunction  provides  natural  isomorphisms  between  (IMjS'flM’)  and  !(MxM’)-  We 
thus  have  all  the  ingredients  for  a  semantics  of  affine  intuitionisitic  logic,  with 
connectives  ®,  !,-<>,  x,  and  T. 


Digression:  sequential  algorithms  and  errors 

We  end  this  section  with  a  digression.  We  have  described  (affine)  sequential  algorithms 
as  pairs  of  two  functions  formalizing  both  an  input-output  behaviour  and  a  computation 
strategy.  It  turns  out  that  an  enlargement  of  the  domains  with  error  elements  allows  us 
to  capture  the  computation  strategy  as  part  of  the  input-output  behaviour.  This  key 
observation,  due  to  Cartwright  and  Felieisen  [CF],  has  been  integrated  in  the 
framework  of  concrete  data  structures  and  of  sequential  data  structures  in  [CuObs, 
CCF],  where  larger  categories  of  (sequential  and)  error-sensitive  functions  are 
considered. 

We  owe  to  Streicher  the  observation  that  sequential  algorithms  can  be  recast  as 
those  error-sensitive  functions  that  are  also  error-reflecting.  We  briefly  explain  these 
notions  and  justify  this  claim. 

Notation 

We  suppose  that  a  non-empty  set  of  error  elements  is  given,  which  is  disjoint  from  any 
set  of  addresses  used  in  any  sds.  We  call  this  set  Err,  and  use  e  to  range  over  it.  The 
following  definition  is  taken  from  [CCF]. 

Definition  (Observable  strategy) 

Let  M  be  an  sds.  An  observable  response  of  M  is  either  a  response  of  M,  or  a  path  of 
the  form  qe  where  q  is  a  query  of  M  and  where  e  £  Err.  An  observable  strategy  of  M  is 
a  set  of  observable  responses  that  is  closed  under  response  prefixes  and  non-e  gib's.  If 
x  is  an  observable  strategy,  F(x)  denotes  the  set  of  queries  q  such  that  q*  E  x,  for  some 
*  E  DUErr,  and  A(x)  is  as  in  Definition  Sequential  data  structure.  The  set  of 
observable  strategies  of  M  is  written  D^fM).  O 

The  following  statement  formalizes  Streicher’s  suggestion. 

Proposition  ( Errors ) 

Let  M  and  M’  be  two  sds’s.  There  is  an  order-isomorphism  between  D(M-°M’)  and 
the  set  of  error-sensitive  and  error-reflecting  continuous  functions  h: 
D^^M)— >-DErT(M’),  which  are  defined  as  follows. 

-  Error-sensitivity:  for  any  x  and  q’  such  that  q’EA(h(x))  and  q’EF(h(z))  for 
some  z>x,  there  exists  qEA(x)  such  that 

-  for  any  y>x,  q’EF(h(y))  implies  qEF(y),  and 

-  h(x  U  {qe})  =  h(x)  U  {q’e},  for  any  e  E  Err. 

Such  a  q  is  called  the  sequentiality  index  of  h  at  (x,q’)  (the  second  condition  implies 
the  uniqueness  of  q). 

-  Error-reflection:  for  any  q\  e,  and  y,  if  q’e  E  h(y),  then  for  some  x<y,  h  has  a 
sequentiality  index  q  at  (x,q’),  and  x  U  {qe}  ^  y. 


These  order-isomorphisms  preserve  the  composition  of  morphisms  of  ALGO,  thus 
error-sensitive  and  error-reflecting  continuous  functions  are  just  an  alternative  way  of 
presenting  the  morphisms  of  the  category  ALGO. 

Proof  hint:  In  JCuObs]  and  [CCF,  corollary  6.21]  we  have  shown  that  the  error- 
sensitive  functions  are  in  order-isomorphic  correspondence  with  the  observable 
strategies  of  M-°M\  We  just  have  to  show  that  the  inverse  functions  map  strategies  to 
error-sensitive  and  error-reflecting  continuous  functions  and  vice-versa,  which  is 
almost  immediate.  □ 

We  believe  that  the  previous  statement  should  have  a  more  abstract  meaning  than 
the  a  priori  ad  hoc  nature  of  a  set  of  errors  could  induce  one  to  believe.  Errors  allow  us 
to  “reverse  the  flow  of  information”  by  transfering  the  output-directed  information 
contained  by  the  component  g  of  a  (symmetric)  algorithm  (f,g)  into  the  input-output 
function  f  of  the  algorithm. 

6.  Further  remarks 

In  this  section  we  include  miscellaneous  remarks.  First  we  exhibit  an  intriguing  self¬ 
adjunction.  Consider  the  following  construction.  Let  M  *  (A,D,P)  be  an  sds.  We 
define  M*  ■  (DU{o},A,{opl  p£P}).  It  is  easily  seen  that  this  operation  on  objects 
extends  to  a  functor  t;  AFFALGO  -*  AFFALGO°P.  It  is  also  useful  to  observe: 

-  D(t(M))  •  E>HM)U{o}, 

-DK^M))  -  D(M). 

Proposition  ( Self-adjoint ) 

The  functor  AFFALGO  -*  AFFALGO°P  is  left  adjoint  to  itself. 

Proof:  Let  M  and  M’  be  two  sds’s.  A  morphism  from  ^(M’)  to  M  in  AFFALGO°Pis  a 
morphism  from  M  to  ^(M’)  of  AFFALGO,  that  is, 

-  a  pair  of  a  function  from  D(M)  to  D(^(M’))  and  a  partial  function  from  D-k^(M’)) 
to  OMM), 

which  amounts  to: 

-  a  pair  of  a  partial  function  from  D(M)  to  D-t-(M’)  and  a  partial  function  from 
D(M’)  to  DHM). 

which  in  turn  can  be  presented  as: 

-  a  pair  of  a  partial  function  from  D-K^(M))  to  D-KM’)  and  a  function  from  D(M’) 
toD(t(M)), 

that  is,  a  morphism  from  M’  to  t(M)  in  AFFALGO.  □ 
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The  construction  *  is  linked  with  the  separated  sum  construction  on  concrete  data 
structures  [BeCul,  CuMon}.  Specifically  we  define: 

M  +  M’  =  r(T(M)xt(M’)) 

The  resulting  (Lamarchian)  sds  is  represented  in  Figure  14.  It  is  such  that  D(M+M’)  is 
the  separated  sum  of  D(M)  and  D(M’)  [PloD]. 


Figure  14:  Separated  sum 

The  above  self-adjunction  property  was  pointed  out  to  the  author  by  Hyland,  who 
also  noticed: 

The  category  of  games  considered  in  [AJ2]  can  be  obtained  out  of  the  category 
of  sds’s  and  (winning)  affine  sequential  algorithms  by  an  instance  of  Chu’s 
construction  [Barr]. 

This  general  construction  allows  to  get  a  ’-autonomous  category  out  of  a  cartesian, 
monoidal  closed  category  C,  and  is  parametrized  by  a  distinguished  object  of  C .  We 
briefly  describe  it  in  the  instance  which  interests  us  here,  where  the  distinguished  object 
is  the  terminal  object  1  of  C  ategory  Chu(C  ,1),  Chu(C)  for  short,  has  as  objects 
pairs  (M+,M')  of  two  objei.  and  as  morphisms  between  (M+,M)  and  (M’+,M’_) 

pairs  (a  £  C(M+,M,+) ,  b  £  It  is  easy  tocheck  that  the  following  yields  a 

monoidal  closed  structure  on  Chu(C): 

-  (M+,M')®(M’+,M’')  -  (M+®M’+ ,  (M+-°M ’ ")x(M ’  +-°M •)), 

-  the  unit  is  (1,1),  where  I  is  the  unit  of  the  tensor  and  1  is  terminal  in  C  , 

•  (M+,M')~°(M’+,M’-)  .  ((M+-°M  ,+)x(  M  ’_-°M') ,  M+tgiM’'). 

Moreover,  taking  (1,1)  to  be  the  interpretation  of  ±,  we  obtain  a  ’-autonomous 
structure,  where  (M+,M')±  is  (M‘,M+). 

It  is  natural  to  recover  C  as  the  full  subcategory  of  objects  of  the  form  (M,l),  and 
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£®P  as  the  full  subcategory  of  objects  of  the  form  (1,M).  Let  us  now  briefly  consider 
the  homsets  in  Chu(C  )  corresponding  to  the  various  combinations  of  polarities.  We 
have: 


-  Chu(CX(M,  1  ),(M\  1 ))  =  C(M,M’), 

-  Chu(CX(M,l),(l,M’))  is  a  singleton, 

-  Chu(CX(UVt),(M',l))  ^C(l>f)xC(I,M*), 

-  Chu(CXl»M),(l,M’))  -  C(M’,M). 

A  more  precise  formulation  of  Hyland’s  observation  is  that  the  category  of  games 
G  of  [AJ2]  can  be  obtained  as  Chu(G+),  where  G+  is  a  category  of  winning  affine 
sequential  algorithms. 

A  notable  difference  between  the  affine  intuitionistic  model  considered  here  and  the 
models  in  [AJ2,Laml]  is  that  the  latter  do  not  validate  weakening.  The  arguments  (and 
the  categories  considered)  are  different  in  [AJ2]  and  [Laml], 

-  Abramsky-Jagadeesan:  By  De  Morgan  laws,  finding  a  winning  strategy  in 
A©B-«A  amounts  to  find  a  winning  strategy  in  (A-°A)7?B'L  (where  is  the  dual 
of  ®).  Let  A  be  an  sds,  and  let  B  be  the  game  (of  polarity  »)  consisting  of  an  empty 
set  of  addresses  and  a  single  datum:  B  ■  (0,{d},{d».  Both  A-°A  and  B-1  are 
sds’s  M  and  M\  Let  us  examine  the  definition  of  7?  in  G: 

-  (M+,M-)tf(M’+,M’-)  ■  ((M‘-°M’+)x(M’"-°M+) ,  M-®M’). 

When  specialized  to  sds’s  (M,l)  and  (M’,1),  it  amounts  to: 

(M,l)tf(M’,l)  ■  (M’xM,l) 

(cf.  Chu(C  )((1,M),(M’,1))  above).  In  other  words,  for  this  combination  of 
polarities,  the  3P  is ...  the  product. 

While  the  copycat  strategy,  which  is  winning  in  A-°A,  is  also  a  strategy  in 
(A-oAj^B-1-,  it  is  not  winning  in  (A-oAj^B1.  In  fact,  there  is  no  winning  strategy 
in  (A-oAJTPB-1.  (That  is,  there  is  no  winning  strategy  in  A®B-°A,  and  weakening 
thus  fails.)  To  see  this,  recall  that  winning  means:  winning  against  any 
counterstrategy.  Consider  the  counterstrategy  consisting  of  the  move  d  in  Bx  by  ihe 
opponent  The  player’s  first  move  has  to  be  in  B-*-  since  the  initial  move  in  A-°A  is 
an  opponent’s  move.  But  since  the  player  has  no  move  in  B1,  he  is  stuck. 

-Lamarche:  Unlike  us,  and  unlike  [AJ2],  Lamarche  accepts  both  e  paths  and  empty 
strategies  in  his  formalization  of  games  and  strategies:  as  a  consequence,  for  him, 
the  terminal  object  is  the  empty  game.  On  the  other  hand,  the  unit  is  the  empty  sds, 
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that  is,  in  Lamarche’s  terminology,  the  game  consisting  of  only  one  move,  by  the 
player.  Thus  the  strong  form  of  weakening  provided  by  the  coincidence 
terminal/unit  fails  in  Lamarche’s  model  [Laml]. 

We  end  this  discussion  of  weakening  by  considering  (a  variant  of)  Lamarche’s 
polarized  constructions,  where,  as  we  did  in  Section  2,  we  assume  that  strategies  are 
non-empty.  We  first  suggest  how  a  category  ©  whose  objects  are  either  sds’s  M*or 
games  M°  of  polarity  o  could  be  built.  Its  homsets  could  be  defined  by  cases  as  follows 
(the  linear  negation  ()-*-  is  defined  by  reversing  the  polarities  of  all  the  nodes  of  the 
game  represented  as  a  tree): 

-  ®(M*,M’*)  =  AFFALGCKM'.M’*), 

-  ®(M*,M’°)  is  the  collection  of  strategies  of  (M*)1  -S’  M’°,  where  3?  is  defined  on 
games  «  dually  to  the  tensor  product  of  AFFALGO, 

-  ©(M°,M’*)  is  empty, 

-  ®(M°,M’°)  =  AFFALGOffM’^J-XM0)1). 

These  definitions  are  dictated  by  De  Morgan  laws  and  by  Table  1  (cf.  Section  3): 

Notice  that  this  tentative  category  ©  looks  quite  different  from  G  in  the  mixed 
situations  of  morphisms  between  two  objects  of  different  polarities.  We  do  not  pursue 
here  an  investigation  of  ©,  but  we  limit  ourselves  to  observing  that  weakening  fails  in 
©  for  yet  another  reason.  As  a  counterpart  of  ©(M'.M’*)  =  0,  we  have  that  the  3?  of 
two  sds’s  is  not  defined,  so  that  a  fortiori  there  is  no  strategy  in  (A-oAl^B1,  whatever 
B  of  polarity  o  is. 

One  lesson  of  the  above  discussion  is  that  while  the  current  game-theoretic 
semantics  of  (fragments  of)  linear  logic  all  roughly  agree  on  the  intuitionistic  affine 
fragment,  they  seem  to  be  hard  to  compare  outside  this  fragment.  And  indeed,  the 
models  of  [Lam2]  on  one  side,  and  of  [AJ2,  HO]  on  the  other  side,  lead  to  quite 
different  completeness  results: 

-  Lamarche  characterizes  the  winning  strategies  which  are  meanings  of  proofs,  in  a 
fragment  of  linear  logic  that  contains  the  additive  connectives,  via  conditions  that 
are  reminiscent  of  the  trip  conditions  in  proof  nets; 

-  Abramsky  and  Jagadeesan  define  a  notion  of  history-free  strategy,  and  show  that 
any  winning  and  history-free  strategy  is  the  meaning  of  a  unique  cut-free  proof  of 
the  multiplicative  fragment  of  linear  logic  augmented  with  the  MIX  rule  (Gir]. 
Hyland  and  Ong  add  a  fairness  constraint  to  the  games,  and  show  the  same  result 
with  respect  to  the  multiplicative  fragment  of  linear  logic  (without  the  MIX  rule). 

We  end  with  a  question.  We  wonder  whether  game-theoretic  semantics  can  be 
defined  at  a  more  abstract  level.  A  step  in  this  direction  was  already  taken  by  Bucciarelli 
and  Ehrhard  [BuEhr].  They  have  generalized  the  notion  of  sequential  algorithm  in  a 
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setting  of  so-called  sequential  structures  (X„X*),  where  X ,  and  X*  are  two  partial 
orders,  formalizing  the  idea  of  a  space  of  data  (or  “points”)  and  a  space  of  questions  (or 
“opens”).  A  sequential  structure  is  endowed  with  a  predicate,  call  it  ANSWER,  over 
X,xX*.  If  (x,y)  G  ANSWER,  we  say  that  x  answers  question  y.  This  is  reminiscent  of 
the  winning  predicate  <.  But  in  [BuEhr],  as  in  [LS],  the  predicate  ANSWER  is  not 
refined  to  a  notion  of  result  of  an  interplay,  as  done  here.  We  wonder  whether  we  could 
define  an  abstract  category  of  games  (X*,X*),  equipped  with  a  function  I  mapping  the 
elements  of  X,xX*  to  the  set  of  primes  of  X,  or  X*.  Any  sds  M  gives  rise  to  such  a 
structure  (D(M),  D-*-(M)),  with  I  as  defined  by  Proposition  Play.  What  seems  needed 
to  carry  out  this  program  is  a  good  denotational  interpretation  of  the  counter-strategies 
of  an  exponent  sds. 
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Computational  Adequacy  via 
‘Mixed’  Inductive  Definitions 
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Abstract.  For  programming  languages  whose  denotational  semantics 
uses  fixed  points  of  domain  constructors  of  mixed  variance,  proofs  of 
correspondence  between  operational  and  denotational  semantics  (or  be¬ 
tween  two  different  denotational  semantics)  often  depend  upon  the  exis¬ 
tence  of  relations  specified  as  the  fixed  point  of  non-monotonic  operators. 
This  paper  describes  a  new  approach  to  constructing  such  relations  which 
avoids  having  to  delve  into  the  detailed  construction  of  the  recursively 
defined  domains  themselves.  The  method  is  introduced  by  example,  by 
considering  the  proof  of  computational  adequacy  of  a  denotational  se¬ 
mantics  for  expression  evaluation  in  a  simple,  untyped  functional  pro¬ 
gramming  language. 


1  Introduction 

It  is  well  known  that  various  domain  constructors  can  be  extended  to  act  on  rela¬ 
tions  on  domains.  For  example,  given  binary  relations  R  and  S  on  domains  D  and 
E,  there  is  a  binary  relation  R—>S  on  the  domain  of  continuous  functions  D  — >  E 
given  by:  ( f,g )  €  (R~*  S)  if  and  only  if  for  all  (x,  y)  €  /?,  (f(x),g(y))  €  5.  The 
utility  of  such  constructions  on  relations  can  be  seen  in  the  various  applica¬ 
tions  of  ‘logical  relations’  techniques  in  denotational  semantics,  pioneered  by 
Milne  [6],  Plotkin  [10,  11]  and  Reynolds  [12].  For  applications  to  programming 
language  semantics,  undoubtedly  the  most  important  domain-construction  tech¬ 
nique  is  that  of  solving  recursive  domain  equations.  In  general,  the  body  of  a 
domain  equation  may  involve  not  only  positive,  but  also  negative  occurrences  of 
the  defined  domain.  Traditionally,  the  construction  of  the  action  on  relations  of 
such  a  recursively  defined  domain  constructor  has  involved  delving  into  the  quite 
heavy  technical  machinery  used  to  establish  the  existence  of  the  domain  itself. 
In  [9]  the  author  described  a  more  elementary  method  of  construction,  inspired 
by  Freyd’s  recent  categorical  analysis  of  recursive  types  [1,  2.  3].  It  makes  use  of 
mixed  inductive/co-inductive  definitions.  Apart,  from  this,  only  quite  straight¬ 
forward  domain-theoretic  techniques  are  needed — namely  fixed  point  induction 
and  the  fact  that  the  identity  function  on  a  recursively  defined  domain  is  the 
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least  fixed  point  of  a  certain  continuous  functional  canonically  associated  with 
the  domain  equation. 

In  this  paper,  we  illustrate  the  use  of  this  new  method  of  construction  of 
relations  on  recursively  defined  domains  by  example.  We  consider  a  specific  ap¬ 
plication  where  such  relations  are  needed — namely  the  proof  of  correspondence 
between  the  denotational  and  operational  semantics  of  a  functional  program¬ 
ming  language.  Recall  that  a  denotational  semantics  is  called  ‘computationally 
adequate’  for  an  operationally  defined  expression  evaluator  provided  any  expres¬ 
sion  evaluates  to  canonical  form  just  in  case  its  denotation  is  not  the  bottom 
element  of  the  corresponding  semantic  domain.  This  property  is  important  since, 
combined  with  compositionality  of  the  denotational  semantics,  it  implies  that 
observational  equivalence  of  programming  language  expressions  may  be  estab¬ 
lished  via  equality  of  denotations.  See  Meyer  [5]  for  a  discussion  of  this  property 
Proofs  of  computational  adequacy  are  non-trivial  when  the  denotational  seman¬ 
tics  of  the  programming  language  involves  solving  recursive  domain  equations 
X  =  4>(X)  in  which  X  occurs  negatively  (and  maybe  also  positively)  in  the 
domain  constructor  4>(X).  We  consider  a  very  simple  example  of  this  —  an  un¬ 
typed  lambda  calculus  —  in  order  not  to  obscure  the  novelty  of  our  approach 
with  language-related  details. 

The  computational  adequacy  property  is  reviewed  in  Sect.  2,  where  we  recall 
how  it  can  be  established  via  the  existence  of  a  certain  recursively  specified 
relation  of  ‘formal  approximation’  between  domain  elements  and  programs.  Our 
new  method  of  construction  of  the  formal  approximation  relation  <3  is  given  in 
Sect.  3.  The  method  involves  three  steps: 

—  First,  the  negative  and  positive  occurrences  of  <3  in  the  body  of  its  recursive 

specification  <3=  0(<)  are  replaced  by  fresh  variables  <3_  and  <3+  respec¬ 
tively.  This  results  in  a  new  operator  <J+)  which  is  monotonic  in  <3+, 

anti-monotonic  in  and  from  which  the  original  operator  4>  can  be  ob¬ 
tained  by  diagonalizing.  (This  separation  of  variables  is  a  key  feature  of 
Freyd’s  recent  analysis  of  recursive  types.) 

—  Secondly,  the  new  operator  t/-‘  is  used  to  give  simultaneous  inductive  defini¬ 
tions  of  positive  and  negative  versions  of  the  formal  approximation  relation. 

—  Lastly,  these  positive  and  negative  versions  are  proved  equal,  and  so  by  con¬ 
struction  constitute  the  required  relation.  The  proof  of  equality  is  a  simple 
fixed  point  induction  argument.  It  makes  use  of  a  key  property  of  recur¬ 
sively  defined  domains,  namely  that  they  are  ‘minimal  invariants’  for  their 
associated  domain  constructor:  see  Definition  2. 

Finally  in  Sect.  4  we  indicate  an  important  aspect  of  the  above  method  of  con¬ 
struction,  namely  that  it  not  only  produces  a  suitable  relation,  but  also  charac¬ 
terizes  it  via  a  ‘universal  property’  (in  the  category-theoretic  sense).  It  is  this 
universal  property  which  gives  rise  to  the  reasoning  principles  established  in 
[8,  9]. 
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2  Computational  adequacy 

In  this  section  we  review  the  standard  approach  to  proving  computational  ad¬ 
equacy,  using  a  very  simple  untyped  functional  programming  language  £  to 
illustrate  what  is  involved.  £  is  an  untyped  version  of  Plotkin’s  call- by-name 
PCF  [10].  Its  expressions  are  given  by: 

M  ::=  x  variables 

|  n  numerals 

|  suc(M)  successor 

|  pred(M)  predecessor 

|  if  M  =  0  then  M  else  M  conditional 

|  Xx.M  function  abstraction 

|  MM  function  application 

where  x  runs  over  a  fixed,  infinite  set  of  variables ,  and  n  runs  over  the  set  of 
integers,  Z.  Function  abstraction  is  the  only  variable-binding  construct  (occur¬ 
rences  of  x  in  M  are  bound  in  Xx.M).  We  denote  by  M[M'/x]  the  result  of 
substituting  an  expression  M'  for  all  free  occurrences  of  x  in  M  (subject  to  the 
usual  conventions  about  renaming  bound  variables  if  necessary  to  avoid  variable 
capture). 

Let  Prog  (‘programs’)  denote  the  collection  of  closed  expressions  in  £,  i.e. 
those  with  no  free  variables.  We  denote  by  Val  (‘values’)  the  subset  of  Prog 
consisting  of  all  canonical  forms,  which  here  means  all  closed  expressions  that 
are  either  numerals  n  or  function  abstractions  Xx.M .  An  operational  semantics 
for  £  can  be  given  via  an  evaluation  relation 

P  (1  V  (P  €  Prog,  V  €  Val) 

which  is  the  subset  of  Prog  x  Val  inductively  defined  by  the  rules  in  Table  1. 
The  last  rule  embodies  the  non-strict,  or  ‘call-by-name’  scheme  for  evaluating 
function  applications. 


Table  1.  Rules  for  evaluating  programs  in  £. 

P  '  1  PI)  n  +  1 

Vi)V  suc(P)  ...  n  +  1  pied(P)  JJ.  n 

PI)  0  Qi)V  Pi)n  Rl)  V 

— -  - (n  ^  0) 

(if  P  =  0  then  Q  else  R)  Jj.  V  (if  P  =  0  then  Q  else  R)  V7 


P  (1  Xx.M  M[Q/x)  Ij  V' 
PQ\)V 
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Denotational  semantics  for  expressions  in  £  can  be  given  using  a  solution  to 
the  domain  equation 


D  2!  (Z +  (£>->  £>)U  •  (1) 

Here  we  can  take  ‘domain’  to  mean  a  partially  ordered  set  with  a  least  element  X 
and  possessing  least  upper  bounds  |J1<W  d,  of  all  countable  chains  do  C  di  C  •  •  •. 
The  domain  on  the  right-hand  side  of  (1)  is  the  lift  of  the  disjoint  union  of  the 
set  of  integers  Z  (discretely  ordered)  with  the  domain  of  continuous  functions 
D-tD  (ordered  pointwise).  Thus  a  domain  D  is  a  solution  to  (1)  if  it  comes 
equipped  with  continuous  functions 

num  :  Z  — >  D 
fun  :  (D  D)  — >  D 

which  combine  to  give  an  order  isomorphism  between  the  disjoint  union  Z  + 
(D-»D)  and  {d  G  D  j  d  ^  X}.  Given  such  a  D,  one  can  assign  to  each  £- 
expression  M  and  each  environment  p  (a  finite  partial  function  from  the  set  of 
variables  to  D)  whose  domain  of  definition  contains  the  free  variables  of  M,  an 
element 

[M]p  €  D  . 

The  definition  of  [M]p  is  by  induction  on  the  structure  of  M  and  is  quite  stan¬ 
dard;  for  the  record,  we  give  the  clauses  of  the  definition  in  Table  2.  The  clause 
for  Xx.M  uses  the  notation  p[. v  i-»  d]  to  indicate  the  environment  mapping  x  to 
d  and  otherwise  acting  like  p. 

If  an  environment  p'  extends  p,  then  \M\p'  =  [M]p.  In  particular  for  pro¬ 
grams  P  G  Prog ,  i.e.  for  closed  expressions,  | P]p  is  an  element  of  D  which  is 
independent  of  p,  and  which  we  write  simply  as  |P],  The  following  property  can 
be  established  by  induction  on  the  derivation  of  the  evaluation  P  V. 

Proposition  1  (Soundness).  IfPtyV  then  [P]  =  [VI 

Of  course  one  cannot  expect  the  converse  of  this  soundness  property  to 
hold,  since  function  abstractions  are  canonical  forms  whether  or  not  the  body 
of  the  abstraction  is  fully  evaluated.  For  example  [Ax.suc(0)|  =  (Ax.lJ,  but 
Ax.suc(O)  (i  Ax. I  does  not  hold.  However,  if  |P]  =  [V|,  then  since  (from  Ta¬ 
ble  2)  the  denotations  of  canonical  forms  are  non-bottom  elements  of  D,  one 
at  least  has  that  [P]  ^  X.  D  is  called  computationally  adequate  if  for  all  pro¬ 
grams  P,  IP]  X  holds  (if  and)  only  if  P  (l  V  holds  for  some  canonical  form 
V.  The  point  of  this  property  is  that  it  permits  observational  equivalence  of 
£-expressions  to  be  established  via  equality  of  denotations:  see  Meyer  [5], 

Whilst  the  soundness  property  of  Proposition  1  holds  for  any  domain  D  which 
is  a  solution  for  the  domain  equation  (1),  computational  adequacy  only  holds  if  D 
is  a  suitably  minimal  solution.  One  way  of  expressing  this  minimality,  essentially 
due  to  D.  Scott,  is  as  follows. 


Table  2.  Denotations  of  ^-expressions. 


[x\p  =  p(x ) 


[n]p  =  num(n) 


if  [A/]p  =  num(n) 
otherwise 


if  [A/] p  =  num(n) 
otherwise 


[if  M  =  0  then  M'  else  M"\p  = 


[A/]p 

[A/"]p 

_L 


if  [A/]p  =  num(O) 

if  [A/]p  =  num(n)  and  n  ^  0 

otherwise 


\\x.M\p  =  funf.W  £  D.[A/]p[j:  i->  </]) 
1  1  (  X  otherwise 


Definition 2  (Minimal  invariant  property).  Let  <*>(-)  dM  (Z+(-)-4(-))x. 
An  invariant  for  ^  is  a  domain  D  equipped  with  an  order  isomorphism  i  :  D  =t 
tf>( D ).  Such  an  invariant  is  minimal  if  the  identity  function  nip  G  (D  — >  D)  is  the 
least  fixed  point  of  the  continuous  function  6$  :  (D  -*  D)  — >  (D ->  D)  which 
maps  e  £  (D  -» D)  to  i~1^(e)i.  Here  £(e)  :  <P(D)  — >  <P(D )  is  the  function 
which  is  the  identity  on  J_  and  integers,  and  acts  on  functions  by  pre-  and  post- 
composing  with  e.  Thus  if  the  isomorphism  i  is  described  in  terms  of  functions 
num  :  Z  — >  D  and  fun  :  (D  D)  — >  D  as  above,  then 

{num(n)  if  d  =  num(n) 

run(eo/oe)  if  d  =  fun(/)  (2) 

_L  if  d  =  ± 

for  all  e  €  (D  ->  D)  and  all  d  £  D. 

Theorem  3  (Computational  Adequacy).  If  ( D,i )  is  a  minimal  invariant 
for  (Z  -I-  (— )  — >(  — ))_l ,  then  the  denotational  semantics  of  C  in  D  is  compu¬ 
tationally  adequate,  i.e.  for  all  P  £  Prog 

3 V(P  (1  V)  o\P]^  ±  . 

The  statement  of  this  theorem  appears  more  general  than  corresponding  re¬ 
sults  in  the  literature,  which  refer  to  the  computational  adequacy  of  a  particular 
domain.  However  it  is  not  really  so  general,  since  one  can  show  that 
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-  the  minimal  invariant  property  characterizes  solutions  to  domain  equations 
uniquely  up  to  isomorphism;  and 

-•  the  solutions  to  domain  equations  D  —  <P(D)  (for  a  wide  class  of  domain 
constructors  #(— ))  constructed  via  any  of  the  several  methods  available  in 
the  literature  (such  as  via  colimits  of  embedding-projection  pairs:  see  [4, 
Sect.  10.1];  or  via  Scott’s  ‘information  systems’:  see  [15,  Chap.  12])  yield 
minimal  invariants.  Indeed,  the  minimal  invariant  property  amounts  to  the 
fact,  familiar  frcm  the  ‘local’  characterization  of  colimits  of  chains  of  embed¬ 
dings  [14,  Theorem  2],  that  any  element  d  of  a  recursively  defined  domain 
recX.<P(X)  can  be  expressed  as  the  least  upper  bound  of  a  chain  of  projec¬ 
tions  of  the  element: 

d=L|,iM.  where  . 

i<cu 

However,  it  seems  a  step  forward  to  have  an  abstract  criterion  on  solutions  of 
domain  equations  that  suffices  for  computational  adequacy.  Moreover,  the  key 
construction  needed  in  the  new  proof  of  Theorem  3  which  we  give  in  the  next 
section,  relies  directly  upon  the  minimal  invariant  property  of  D  rather  than 
upon  any  particular  concrete  construction  of  the  domain. 

The  classical  method  for  proving  Theorem  3  is  an  adaptation  by  Milne  [6] 
and  Plotkin  [10,  11]  of  Tait’s  use  of  ‘computability’  predicates  in  normalization 
proofs.  It  relies  upon  the  construction  of  a  binary  relation  between  domain  ele¬ 
ments  and  programs  with  the  following  properties. 

Definition  4.  Let  D  be  a  solution  to  (1).  A  formal  approximation  relation  is  a 
binary  relation  <  C  D  x  Prog  satisfying: 

1.  For  all  d  €  D  and  P  €  Prog ,  d  <  P  if  and  only  if 
either  d  =  i., 

or  d  =  num(n)  for  some  n  such  that  P  I)  n, 

or  d  =  fun (/)  and  P  Jj  A x.M  for  some  /  and  X.r.M  such  that  for  all  d! ,P', 
if  d'  <  P'  then  f(d')  <  M[P'/.r], 

2.  If  do  C  di  C  d2  £  •  ■  •  is  a  chain  in  D  with  d,  <  P  for  all  i,  then  |Ji<w  dt  <]  P. 

Given  such  a  formal  approximation  relation,  for  any  expression  M,  any  envi¬ 
ronment  p  whose  domain  of  definition  dom.(p)  =  {.n, . . . ,  .rn}  contains  the  free 
variables  in  M,  and  any  programs  Pi,...,Pn,  it  is  easy  to  prove  by  induction 
on  the  structure  of  M  that 

p(xi)  <  Pi  A  ••  •  A  p(. v„)  <  Pn  =>  [A l]p  <  M[Pi/xi, . .  .,Pn/x „]  . 

In  particular,  in  case  n  =  0  we  obtain  for  all  programs  P  that 

\P]  <  P  • 

Hence  if  |P]  ^  _L,  then  by  the  properties  of  <  in  part  1  of  Definition  4,  it  follows 
that  P  (1  V  for  some  V,  as  required  for  computational  adequacy. 

Therefore,  to  complete  the  proof  of  Theorem  3  we  need  to  demonstrate  that 
when  D  is  a  minimal  invariant  for  (Z  +  (-)  ->(-))±,  there  exists  a  relation  < 
as  in  Definition  4. 
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3  A  new  construction  of  the  relation  < 


Let  us  begin  by  pointing  out  why  the  existence  of  a  relation  <  as  in  Definition  4 
is  problematic.  One  can  formulate  the  problem  as  one  of  solving  a  certain  fixed 
point  equation.  Let  Rel  be  the  set  of  all  binary  relations  R  C  D  x  Prog  which 
contain  {±}  x  Prog  and  which  satisfy  condition  2  of  Definition  4.  In  other  words 
a  binary  relation  R  is  in  Rel  if  and  only  if  for  each  P  e  Prog ,  {d  |  (d,  P)  £  R} 
is  an  admissible  subset  of  the  domain  D ,  i.e.  chain-complete  and  containing  _L. 
Define  an  operation  <f> :  Rel  — >  Rel  by: 


</>(R)  d—  {(d,  P)  |  d  =  -L  V  3 n(d  =  num(n)  A  P  (J.  n)  V 
3/,  Xx.M(d  =  fun (/)  A  P  (1  A x.M  A 

V(d'.P')  €  R.(f(<f),M[P'/x])  £  R)}  . 

Then  a  formal  approximation  relation  is  precisely  an  element  <  €  Rel  satisfying 
<  =  4>{<)-  It  is  easy  to  see  that  Rel  is  closed  under  taking  intersections  of 
binary  relations,  and  hence  it  is  a  complete  lattice  when  ordered  by  inclusion, 
C.  However,  <j>  is  not  a  monotonic  operation  for  C  (since  the  definition  of  4>(R) 
contains  a  negative  as  well  as  a  positive  occurrence  of  R),  so  we  cannot  appeal 
to  the  familiar  Tarski  fixed  point  theorem  to  construct,  a  fixed  point  for  (f>. 

In  the  literature,  two  methods  can  be  found  for  constructing  relations  on 
recursively  defined  domains  with  certain  non-monotonic  fixed  point  properties. 
One  method,  due  to  Milne,  Plotkin  and  Reynolds,  makes  use  of  Scott’s  con¬ 
struction  of  a  recursively  defined  domain  D  S  <P(D)  as  the  colimit  of  a  chain  of 
embedding-projections  D0  — >  Z>i  — *  ■  ■  ■,  where  the  domain  I)n  is  obtained  by 
iterating  the  domain  constructor  ${-)  n  times,  starting  with  the  trivial  domain 
{JL}.  Then  <  can  be  constructed  as  an  inverse  limit  of  relations  <„  C  Dn  x  Prog 
built  up  by  iterating  an  appropriate  action  of  $(  — )  on  relations;  see  [12]. 

A  second  method,  essentially  due  to  Martin-Lof,  applies  only  to  Scott  do¬ 
mains  (precluding  the  use  of  constructors  like  the  Plotkin  powerdomain)  and 
makes  use  of  their  presentation  in  terms  of  information  systems’  [13].  This 
method  hinges  upon  the  fact  that  for  each  program  P,  {d  |  d  <3  P}  is  in  fact  a 
Scott-closed  subset  of  D.  Hence  it  suffices  to  construct  the  relation  c  only  for 
compact  elements  of  D,  since  d  <  P  holds  if  and  only  if  a  <  P  holds  for  all  com¬ 
pact  a  with  a  C  d.  Information  systems  provide  a  formal  language  for  compact 
elements  of  (recursively  defined)  Scott  domains,  and  a  <  P  (a  compact)  can  be 
defined  by  a  well-founded  induction  on  the  size  of  (a  formal  representation  of) 
a.  See  [15,  Sect.  13.4]. 

Here  we  present  a  third  method,  which  is  more  abstract  than  the  above  two 
in  that  it  relies  upon  the  ‘minimal  invariant’  property  of  Definition  2  rather 
than  either  of  the  techniques  for  giving  concrete  constructions  of  recursively 
defined  domains  mentioned  above.  To  begin  with,  following  Freyd’s  recent  work 
on  recursive  types  [1,  2,  3],  we  separate  the  positive  and  negative  occurrences  of 
R  in  the  definition  of  4>(R).  Thus  given  two  relations  R~  ,R+  €  Rel,  define: 
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ip{R~  ,H+)=f{(d,P)\d  =  ±V  3  n{d  =  num(n)  AP|n)V 
3/,  A x.M(d  =  fun (/)  A  P  A x.M  A 

VW'.P')  G  R-.(f(d'),M[P'/x))  €  fl+)}  . 

Clearly  ip  determines  a  monotonic  function 

ip  :  PePp  x  Pel  — >  fte/ 

where  Pel  is  partially  ordered  via  C  and  where  PePp  has  the  opposite  ordering. 
Furthermore,  <p  can  be  recovered  from  ip  by  diagonalizing: 

<P(R)  =  iP(R,  R)  .  (3) 

We  remarked  above  that  Pel  is  a  complete  lattice,  with  infima  given  by  set- 
theoretic  intersection.  Hence  Pel°p  x  Pel  is  also  a  complete  lattice.  We  obtain  a 
monotonic  operator 

ip$  :  PePp  x  Pel  — >  PePp  x  Pel 
on  this  complete  lattice  by  ‘symmetrizing’  tp: 

iPHR-,R+)  =  (iHR+,R-),4’(R~,R+))  . 

Now  we  can  apply  Tarski’s  fixed  point  theorem  to  obtain  the  least  fixed  point 
of  ip§,  which  we  will  denote  by  (<d~,  <+).  Thus  and  <+  are  given  by  simul¬ 
taneous,  inductive  definitions.  Using  the  fact  that  infima  in  Pel  are  given  by 
intersection,  together  with  the  definition  of  these  relations  can  be  described 
explicitly  as  follows: 

<+  =f  P|{fl+  G  Pel  |  3 R~  €  Pel(R~  C  iP(R+,  R~)  A  iP(R~,R+)  C  R+)} 

<T  =f  P|{5  €  Pel  |  VfT ,  R+  €  Pel. 

(R~  C  ii’(R+,R-)  A  ip(R~ ,  R+)  C  R+ =>  R~  C  5)}  . 

All  we  need  to  know  about  (<“,  <+)  is  that  it  is  the  least  pre- fixed  point  of 
ip$.  Writing  out  this  least  pre-fixed  point  property  for  on  PePp  x  Pel  purely  in 
terms  of  ip  and  Pel,  we  obtain  the  following  characteristic  properties  of  <+ 
which  have  a  mixed  inductive/co-inductive  flavour. 

Lemma5.  1.  =  ip(<+,  <”)  and  ip(<~,  <+)  =  <+. 

2.  For  all  R~,R+  G  Pel,  if 

R~  C  iP(R+,  R~)  and  ip(R~,R+ )  C  R+ 

then 

R~  C  <“  and  <+  C  R+  . 


Theorem  6  (Existence  of  <).  When  D  is  a  minimal  invariant  for  the  domain 
constructor  (Z  +  (-)-*(—))  x,  the  relations  and  <+  are  equal,  and  yield  a 
formal  approximation  relation  as  in  Definition  4- 

Proof.  First  note  that  by  (3)  and  part  1  of  Lemma  5,  if  <“  =  <+  then  this 
relation  is  a  fixed  point  for  the  operation  <t>  and  hence  has  the  properties  required 
by  Definition  4. 

We  split  the  equality  =  <+  into  two  inclusions.  The  inclusion  <+  C  <~ 
follows  immediately  from  Lemma  5,  since  by  clause  1  we  may  take  R~  =  <+ 
and  R+  =  <~  in  clause  2.  So  it  remains  to  prove  that  <“  C  <+. 

It  is  only  at  this  point  that  we  need  the  minimal  invariant  property  of  D. 
Recall  that  it  says  that  ido  is  the  least  fixed  point  of  the  continuous  function 
5#  :  (D  — >  D)  — >  (D  — >  D)  defined  in  (2).  We  introduce  the  following  piece  of 
notation:  given  R,SG  7 Zel  and  a  continuous  function  e  €  (D  — >  D),  write 

e  :  R  C  S 

to  mean  that  for  all  ( d,P )  £  R,  ( e(d),P )  E  S.  From  the  definition  of  6<t>,  it  is 
straightforward  to  verify  that 

e:flCS^We):  v(S,  R)  C  tl’(R .  5)  . 

So  taking  R  =  and  S  =  <+  and  using  part  1  of  Lemma  5.  we  have  that,  <5$ 
maps  the  set 

{e  €  D-*  D  |  e  :  <T  C  <!+}  (4) 

into  itself.  Clearly  this  subset  of  D  — ►  D  is  chain-closed  and  contains  J_,  because 
of  the  admissibility  condition  elements  of  IZel  satisfy.  Hence  by  the  familiar  fixed 
point  induction  principle  (see  [15,  Sect.  10.2]  for  example),  ido ,  being  the  least 
fixed  point  of  6$,  lies  in  the  subset  (4).  Thus  idD  :  <3~  C  <l+.  which  is  just  to 
say  that  <~  C  <+.  □ 

4  Further  development 

The  method  of  construction  of  <  we  have  given  in  this  paper  can  be  used  quite 
generally  to  construct  recursively  specified  relations  on  recursively  defined  do¬ 
mains  without  having  to  delve  into  the  details  of  the  construction  of  the  domain. 
Moreover,  the  construction  applies  to  many  different  notions  of  ‘relation’  on  a 
domain.  (Here  for  example,  a  relation  on  D  has  meant  a  subset  of  D  x  Prog.) 
The  construction  can  be  phrased  in  terms  of  an  abstract  notion  of  relational 
structure’  on  a  category  of  domains  and  of  the  ‘action’  of  domain  constructors 
on  relations,  due  to  O’Hearn  and  Tennent  [7].  This  general  form  of  the  construc¬ 
tion  is  described  in  [9,  Sect.  5].  That  paper  treats  the  case  of  unary  relational 
structures,  but  the  method  generalizes  easily  to  n-ary  relations.  For  example, 
we  believe  that  the  recursively  specified  relation  between  two  recursively  defined 
domains  emploved  by  Reynolds  to  relate  a  direct,  and  a  continuation  semantics 
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of  an  untyped  functional  language  in  (12]  can  be  constructed  by  applying  our 
method  to  a  suitable  binary  relational  structure. 

As  pointed  out  in  [9],  the  method  of  construction  not  only  provides  a  simpler 
construction  of  certain  relations,  but  also  characterizes  these  relations  uniquely 
via  a  ‘universal  property’.  For  instance,  by  virtue  of  Lemma  5  (and  the  fact  that 
<~=<=<+),  the  formal  approximation  relation  <  is  a  ‘mixed’  fixed  point  in 
the  sense  of  the  following  definition. 

Definition?  (Mixed  fixed  point).  Let  (72,  <)  be  a  partially  ordered  set  and 
let  ip  :  72°  p  x  72  — y  72  be  a  monotonic  function.  Then  M  €  72  is  a  mixed  fixed 
point  for  ip  if 

f  M  =  ip(M,  M)  (5) 

and 

Vi?,  S  €  72(i?  <  t/>(S,  R)  A  </>(/?,  S)  <  S  =>  R  <  M  <  S)  .  (6) 

Note  that  the  mixed  fixed  point  of  ip  is  unique  if  it  exists.  Indeed,  if  R  €  72 
satisfies  R  =  ip(R,  R),  then  (6)  implies  that  R  <  M  <  R,  i.e.  R  =  M. 

It  is  not  hard  to  see  that  conditions  (5)  and  (6)  are  equivalent  to  saying  that 
(M,  M)  is  the  least  pre-fixed  point  of  the  monotonic  operator 

(R,  S)  (t(S,  R),  >l'(R,  S)) 

on  72op  x  72;  or  to  saying  that  (A/,  M)  is  the  greatest  post-fixed  point  of  that 
operator.  In  fact  Definition  7  is  the  special  case  for  monotonic  functions  of  the 
condition  on  functors  of  mixed  variance  formulated  by  Freyd  in  his  work  on 
‘algebraically  compact’  categories  [2,  3].  One  can  summarize  the  results  in  [9, 
Sect.  5]  as  establishing  that  the  algebraic  compactness  property  of  the  category 
of  domains  and  strict  continuous  functions  is  inherited  by  categories  of  ‘domains 
equipped  with  relations’  (for  a  very  general  notion  of  relation).  As  the  rest  of 
that  paper  demonstrates,  from  the  mixed  fixed  point  property  of  recursively  de¬ 
fined  relations  it  is  possible  to  derive  a  number  of  induction  and  co-induction  [8] 
principles  for  reasoning  about  the  properties  of  recursively  defined  domains. 
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Abstract.  The  Structural  Induction  Theorem  (Lehmann  and  Smyth, 
1981;  Plotkin,  1981)  characterises  initial  F-algebru  of  locally  continuous 
functors  F  on  the  category  of  cpo’s  with  strict  and  continuous  maps. 
Here  a  dual  of  that  theorem  is  presented,  giving  a  number  of  equivalent 
characterisations  of  final  coalgebras  of  such  functors.  In  particular,  final 
coalgebras  are  order  strongly-extensional  (sometimes  called  internal  full 
abstractness):  the  order  is  the  union  of  all  (ordered)  /’-bisimulations. 
(Since  the  initial  fixed  point  for  locally  continuous  functors  is  also  final, 
both  theorems  apply.)  Further,  a  similar  co-induction  theorem  is  given 
for  a  category  of  complete  metric  spaces  and  locally  contracting  functors. 


1  Introduction 

Consider  a  preorder  ( P ,  <)  and  a  monotone  function  /  :  P  —*  P.  An  element 
q  €  P  is  a  post-fixed  point  of  /  (also  called  /-consistent)  if  q  <  /(«)•  «  the 
collection  of  post-fixed  points  of  /  has  a  largest  element,  then  this  is  also  the 
greatest  fixed  point  of  /.  Defining  p  as  the  greatest  post-fixed  point  of  /  is 
sometimes  called  a  co-induciive  definition.  (A  typical  example  is  a  complete 
lattice  (P,  C)  and  a  monotone  function  /,  which  by  Tarski’s  fixed-point  theorem 
has  a  greatest  (post-)fixed  point.)  Being  the  greatest  post-fixed  point  can  also 
be  used  as  a  proof  method:  in  order  to  establish  q  <  p,  for  q  G  P,  it  is  sufficient 
to  prove  q  <  f(q).  This  fact  is  sometimes  called  a  co-induction  principle. 

A  familiar  example  in  computer  science  is  the  co-inductive  definition  of  the 
bisimilarity  relation  on  a  labelled  transition  system.  It  is  defined  as  the  greatest 
fixed  point  of  a  monotone  function  on  the  lattice  of  relations  on  the  states  of 
this  transition  system  (see  [Mil89]).  An  example  of  the  above  co-induction  proof 
principle  can  be  found  in  [MT91],  where  it  is  used  to  prove  the  consistency  of  the 
static  and  the  dynamic  semantics  of  a  simple  functional  programming  language 
with  recursive  functions. 

By  generalizing  preorders  to  categories  C  and  monotone  functions  to  functors 
F  :  C  —*  C,  a  co-induction  principle  can  be  obtained  for  recursive  data  types, 
which  are  often  defined  as  fixed  points.  Post-fixed  points  of  F  are  F-coalgebras 
(A,  a),  and  consist  of  an  object  A  in  C  together  with  an  arrow  a  :  A  — *  F(A)  (gen¬ 
eralizing  <).  These  F-coalgebras  form  again  a  category,  as  the  post-fixed  points 
of  a  monotonic  function  form  a  preorder.  Arrows  between  two  F-coalgebras 
(A,  a)  and  (2?,/3)  are  arrows  /  :  A  — »  2?  ( in  C)  such  that  J3  o  f  =  F(f)  o  a.  A 
greatest  post-fixed  point  for  a  functor  F  is  a  final  F-coalgebra  (A,  a):  for  any 
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other  F-coalgebra  (B,  0)  there  exists  a  unique  arrow  /  :  (B,(3)  — *  (.4,  a).  If 
(A,  a)  is  a  final  .F-coalgebra  then  A  is  a  fixed  point  of  F  (i.e.,  a  is  an  isomor¬ 
phism). 

As  will  become  apparent,  the  richer  structure  of  categories  allows  for  a  num¬ 
ber  of  different  formulations  of  a  co-induction  principle  for  final  coalgebras  of 
functors.  For  instance,  let  (A,  a)  and  (B,p)  be  F-coalgebras,  and  suppose  that 
(A,  a)  is  final.  The  following  can  be  easily  proved.  For  any  ir  :  (A,  a)  — *  ( B,{3 ): 
if  x  is  epi  then  it  is  an  isomorphism  (cf.  [Smy92]).  Note  that  this  generalizes 
the  fact  that  for  an  ordered  set  (P,  <)  and  a  monotone  function  f  :  P  —*  P:  if 
p,j€P,  with  p  the  greatest  post-fixed  point  of  /  and  q  >  p,  then  q  <  f(q)  im¬ 
plies  p  =  q — another  formulation  of  the  co-induction  principle  mentioned  above. 

In  particular,  locally  continuous  (endo-)functors  on  the  category  of  complete 
partial  orders  will  be  investigated.  These  functors  are  well-known  to  have  an 
initial  F-algebra  (see  [SP82]),  which  is  at  the  same  time  a  final  F-coalgebra.  A 
structural  co-induction  theorem  will  be  proved,  giving  a  number  of  equivalent 
characterizations  for  such  final  F-coalgebras.  Maybe  the  most  surprising  and 
interesting  one  is  the  equivalence  between  finality  and  so-called  order  strong- 
extensionality,  stating  that  two  elements  are  ordered  if  and  only  if  they  are 
related  by  a  so-called  ordered  bisimulation.  Order-bisimulations  generalize  the 
F-bisimulations  of  [AM89],  which  at  their  turn  are  categorical  abstractions  of 
the  notion  of  bisimulation  of  [Par81,  Mil89] .  In  the  present  paper,  the  defini¬ 
tion  of  ordered  bisimulation  from  [Fio93]  is  used,  which  generalizes  the  original 
definition  from  [RT93]  by  the  use  of  lax-homomorphisms. 

The  co-induction  theorem  (Section  5)  is  presented  as  and  named  after  a  dual- 
ization  of  the  structural  induction  theorem  of  [Plo81]  (but  see  also  [LS81]),  which 
is  repeated  here  in  the  Appendix.  Part  of  this  dualization  is  fairly  straightfor¬ 
ward;  order  strong-extensionality,  however,  does  not  arise  as  the  dual  of  the 
structural  induction  principle  for  w-inductive  sets  (clause  (3)  of  the  induction 
theorem),  nor  do  the  corresponding  parts  of  the  proof.  Note  that  because  initial 
algebras  of  locally  continuous  functors  are  also  final,  both  the  induction  and  the 
co-induction  theorem  apply  to  them. 

In  Section  6,  the  co-induction  theorem  is  used  to  extend  the  final  semantics 
approach  of  [RT93]  (initiated  in  [Acz88])  to  the  ordered  case:  the  unique  arrow 
from  a  coalgebra  to  a  final  coalgebra  is  shown  to  preserve  and  reflect  the  bisimu¬ 
lation  order.  The  paper  is  concluded  by  proving,  in  Section  7,  a  slightly  adapted 
version  of  the  co-induction  theorem  for  a  category  of  metric  spaces  and  locally 
contracting  functors,  in  very  much  the  same  way.  This  last  result  is  illustrated 
by  the  description  of  a  metric  hyperuniverse. 


2  Preliminaries 

Let  C  be  a  category  and  F  :  C  — *  C  be  a  functor  from  C  to  C.  An  F-coalgebra  is 
a  pair  (A,  a),  consisting  of  an  object  A  and  an  arrow  a  :  A  — *  F(A)  in  C.  It  is 
dual  to  the  notion  of  F-algebra :  an  F-algebra  is  a  pair  (A,  a),  consisting  of  an 
object  A  and  an  arrow  a  :  F(A)  — *  A  in  C. 
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For  instance,  any  preorder  (P,  <)  is  a  category  (with  an  arrow  between  two 
elements  iff  they  are  order  related)  and  post-fixed  points  of  monotone  functions 
/  :  P  — *  P  are  examples  of  /-coalgebras. 

The  collection  of  F-coalgebras  constitutes  a  category  by  taking  as  arrows 
between  coalgebras  (.A,  a)  and  (2J,/3)  those  arrows  /  :  A  — *  B  in  C  such  that 
(3  o  /  =  F(f)  o  a;  that  is,  the  following  diagram  commutes: 


A 

a 


f 


* 


B 

P 


F(A)  —  P(fl) 

W) 


Such  an  arrow  /  from  (A,  a)  to  (B,  / 3)  is  called  a  homomorphism  of  F-coalgebras. 

For  example,  a  graph  ( N ,  — »),  consisting  of  a  set  N  of  nodes  and  a  collec¬ 
tion  — *  of  (directed)  arcs  between  nodes  can  be  regarded  as  a  coalgebra  of  the 
(covariant)  powerset  functor  V  on  the  category  Set  of  sets  as  follows:  define 
child  :  N  — ♦  V(N)  by,  for  all  n  6  1ST,  child(n)  =  {m  \  n  — *  m}.  Arrows  between 
graphs  (as  coalgebras)  are  those  mappings  between  the  sets  of  nodes  that  respect 
the  child  relation. 


Definition  1.  An  object  A  in  C  is  called  final  if  for  any  other  object  B  in  C  there 
exists  a  unique  arrow  from  B  to  A.  It  is  the  dual  notion  of  initial  object  (unique 
arrow  from  the  object).  Final  and  initial  objects  are  unique  up  to  isomorphism. 

□ 


The  following  is  standard  (see,  e.g.,  [SP82]). 

Proposition2.  Every  final  F -coalgebra  (A,  a)  is  a  fixed  point  of  F  ( ttiu <.  is,  a 
is  an  isomorphism).  □ 

3  Coalgebras  in  CPO± 

Let  CPO±  be  the  category  with  complete  partial  orders  {D,  Cjr>)  as  objects  and 
strict  and  continuous  functions  as  arrows.  For  any  two  cpo’s  D  and  E,  the  set 
hom(I?,  E)  of  arrows  between  D  and  E  is  itself  a  cpo,  with  the  usual  order:  for 
all  /,  g  €  hom(D,  E), 

f  <  g  =  Vx  G  D,  f(x)  Cfi  ?(k). 

Moreover  composition  of  arrows  is  continuous  with  respect  to  this  ordering. 
Therefore  the  category  CPO ±  is  called  an  order-enriched  (or  O-)  category  ([SP82]) 
The  structure  on  hom  sets  can  be  used  to  characterize  a  class  of  functors. 


Definitions.  A  functor  F  :  CPO±  — *  CPO  ±  is  locally  continuous  if,  for  any 
two  objects  D,  E  €  CPO±,  the  mapping 

FDiB  :  hom(£>,  E)  —  hom(F(D),  F(F)) 

is  continuous.  Similarly,  F  is  locally  monotonic  if  Fo  e  is  monotonic.  □ 

Next  we  recall  the  definition  of  the  subcategory  CPOE  of  CPO±.  If  D  and 
D'  are  cpo’s  and  pe  :  D  — *  £>'  and  pv  :  D'  — *  D  are  arrows  in  CPO  ±  then 
(pe ,  pp)  is  called  an  embedding-projection  pair  from  D  to  D‘  provided  that 

Pr°Pe  =  idD  and  p‘  o  pp  <hom(x), id  o' 

Note  that  the  one  half  of  such  a  projection  pair  determines  the  other.  Let  CPOB 
denote  the  subcategory  of  CPO j.  that  has  cpo’s  as  objects  and  embedding- 
projection  pairs  as  arrows.  Note  that  also  CPOB  is  an  order-enriched  category. 
The  following  theorem  is  standard  (see  [SP82]). 

Theorem  4.  Every  F  :  CPO ±_  — *  CPO ±_  that  is  locally  continuous  can  be  ex¬ 
tended  to  a  functor  FB  :  CPOE  — *  CPOE  that  is  -continuous  (preserving 
colimits  of  w- chains):  on  objects  FE  is  identical  to  F;  and  on  arrows,  FE  is 
given  by 

FE((p\pP))~(F(p‘),F(pP)). 

A  fixed  point  of  F  is  obtained  by  constructing  an  initial  FE -algebra  D  in  CPOE 
as  the  colimit  of  the  w-chain  (Dn,  an  )n,  given  by  Do  =  {-!},  the  trivial  embedding 
a0  :  D0  — »  F(D0),  and  for  all  n  >  0,  Dn+ 1  =  F(Dn),  an+i  =  F(a„).  □ 

This  fixed  point  D  is  an  initial  Ffi-algebra  (D,  z_1)  in  the  category  CPOB . 
Moreover,  it  can  also  be  seen  to  be  an  initial  F-algebra  in  CPO±  :  the  fact  that  D 
is  a  colimit  (of  its  defining  chain)  in  CPOE  implies,  by  a  little  exercise  (Exercise 
4.17  from  [Plo81] — to  be  precise),  that  it  is  a  colimit  in  CPO ±  as  well;  then 
the  ‘Basic  Lemma’,  from  [SP82],  immediately  yields  the  result.  By  the  so-called 
“limit-colimit  coincidence”  for  O-categories,  which  is  extensively  discussed  in 
[SP82],  the  dual  of  these  facts  also  holds:  Let  CPOF  be  defined  as  (CPOE)op , 
the  opposite  category  of  CPOE .  Thus  arrows  in  CPOp  are  mappings  pp  for 
which  there  exists  a  (unique)  pe  such  that  (pe,pp)  is  an  embedding-projection 
pair.  The  fact  that  (D,i_1)  is  an  initial  F^-algebra  (in  CPOB)  implies  that 
(D,i)  is  a  final  -coalgebra  in  CPOp.  (Here  Fp  is  defined  analogously  to 
Fe.)  Again,  (D,  i)  is  a  final  F-coalgebra  in  CPO±  as  well,  which  can  be  shown 
by  dualizing  the  little  argument  above.  Summarizing,  we  have  the  following. 

Theorem  5.  Let  F  :  CPO±  —*  CPO ±  be  a  locally  continuous  functor  and  let 
{D,  t-1)  be  the  (in  CPOE )  initial  FE -algebra  as  described  above.  Then  (D,i)  is 
a  final  Fp -coalgebra  in  CPOp  as  well  as  a  final  F-coalgebra  in  CPO±.  D 
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4  Ordered  .F-bisimulation 

In  [AM89],  a  categorical  generalization  of  the  notion  of  bisimulation  of  [Par81, 
Mil89]  has  been  given  in  terms  of  coalgebras  of  functors  on  a  category  of  classes. 
In  [RT93],  this  definition  is  extended  to  functors  F  on  arbitrary  categories,  yield¬ 
ing  the  notion  of  F-bisimulation.  The  order  on  horn  sets  in  the  category  CP  Ox. 
makes  the  following  generalization  of  that  definition  possible.  Let  for  the  rest  of 
this  section  F  :  CPOx  — *  CPO±  be  a  functor. 

Definitions.  Let  (A,  a)  be  an  F-coalgebra  and  R  a  relation  on  A  with  pro¬ 
jections  if  i,  if 2  :  R  — ♦  A.  (That  is,  R  C  A  x  A  is  a  cpo  (R,  such  that  the 
inclusion  function  i  :  R  — ►  A  x  A  is  continuous.)  Then  R  is  called  an  ordered 
F-bisimulation  on  (A,  a)  if  there  exists  an  arrow  /3  :  R  — *  F(R)  such  that 


F(R) - -  F(A)  - -  F(R) 

F(iri)  F(t2) 

That  is,  ir 2  is  a  homomorphism  ofcoalgebtas  (satisfying  F(7t2)  o/3  =  aor2),  and 
r\  is  a  so-called  lax-homomorphism:  it  satisfies  F(?fi)  o  ft  >  a  o  ttj.  □ 

The  above  definition  is  from  [Fio93]  and  generalizes  an  earlier  definition  of 
ordered  bisimulation  given  in  [RT93],  which  required  the  existence  of  two  coal¬ 
gebra  mappings  /?i,/32  :  R  — »  F(R)  such  that  (3\  <  /J2  and  both  if\  and  ir2  are 
coalgebra  homomorphisms.  The  latter  can  be  seen  to  be  a  special  instance  of  the 
definition  given  above  by  taking  (3  =  /32.  (Cf.  the  notion  of  simulation  in  [Pit92J; 
see  also  [Pit93],  where  proof  principles  that  combine  induction  and  co-induction 
are  studied.) 

The  following  definition  generalizes  the  notion  of  strong  extevsionality  used 
in  [Acz88]  (in  the  context  of  non- well-founded  set  theory).  It  is  sometimes  called 
internal  full  abstractness  (cf.  [Abr91]). 

Definition  7.  Let  (A,  a)  be  an  F-coalgebra,  and  let  CA  be  the  order  on  A.  Let 
C^C  A  x  A  be  defined  by 

CF=  C  A  x  A  |  R  is  an  ordered  F-bisimulation  on  (A,  a)  }. 

Elements  a,  b  £  A  with  a  C.F  b  are  called  (ordered)  F-bisimilar.  Now  (A,  a)  is 
called  order  strongly-extensional  if,  for  all  a,b  £  A, 

a  b  •£>  a  6. 

D 


Example  1.  A  deterministic  partial  transition  system  is  a  pair  (5,  — >)  consisting 
of  a  set  S  of  states  and  a  transition  relation  —*C  5x5  that  is  a  partial  function. 
We  assume  that  5  contains  a  minimal  element  ±s  and  is  otherwise  discretely 
ordered.  Furthermore  we  assume  that  {s  G  5  |±s— *  s}  =  0. 

Such  transition  systems  can  be  represented  as  coalgebras  of  the  functor  (-)j.  : 
CPO±  — *  CPO± ,  which  maps  a  cpo  D  to  its  lifted  version  (D)i  by  extending  D 
with  a  new  minimal  element  ±new-  For  (5,  — *),  define  a  :  5  — *  (5)x.  for  s  £  5, 
by 


"<*>  =  { 1, 

An  ordered  (•) j_-bisimulation  (R,(3)  on  (5,  a), 


if  s  — *  s' 
-Lnew  otherwise. 


R 


W  2 


R 


> 

a  * 

(Rh 


(S)  J 


(R)j 


(^lK  (*2)x 

satisfies  for  all  s,  t  €  S  with  s  Rt,  and  for  all  s'  6  S, 

if  s  — ♦  s'  then  3 1'  €  5,  t  — *  t'and  s'  Rt'. 

Two  states  s  and  t  in  5  are  bisimilar  whenever  the  number  of  subsequent  tran¬ 
sition  steps  that  can  be  taken  from  t  is  at  least  as  big  as  the  number  of  steps 
that  are  possible  starting  from  s.  If  f3  would  be  such  that  also  7Ti  is  a  coalgebra 
homomorphism,  then  two  states  are  bisimilar  if  they  can  take  the  same  number 
of  steps.  □ 


Example  2 .  A  nondeterministic  transition  system  with  divergence  is  a  triple 


(S,  — T) 

consisting  of  a  set  5  of  states,  a  transition  relation  — >C  5  x  5,  and  a  divergence 
set  |  C  5.  (This  is  the — for  simplicity — unlabelled  version  of  the  transition  sys¬ 
tems  with  divergence  considered  in  [Abr91].)  One  should  think  of  states  s  in  f 
(notation:  s  |)  as  having  the  possibility  of  divergence.  Similarly  s  [  is  used  to 
indicate  that  s  converges,  that  is,  s  not  in  |. 

As  above,  we  assume  that  5  has  a  minimal  element  ±5,  satisfying  now  {s  € 
5  |_LS  — ►  s}  =  0  =  {s  6  5  |  s  — >±s}  (so  -Ls  is  not  involved  in  any  transitions) 
and  in  addition  J-st-  We  shall  only  consider  transition  systems  that  are  finitely 
branching,  i.e.,  for  all  s  €  5,  the  set  {s'  G  5  |  s  — *  s'}  is  finite. 

Transition  systems  with  divergence  can  be  represented  as  coalgebras  of  the 
functor  V  :  CPO±  — ♦  CPO±,  which  takes  a  cpo  D  to  the  Plotkin  powerdomain 
of  its  lifted  version  (-D)xi  extended  (as  in  [Abr91])  with  the  empty  set.  In  the 
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ordering  of  V{D),  the  empty  set  is  greater  than  the  bottom  element  {±new},  and 
incomparable  to  all  other  elements;  non-empty  sets  Xt  Y  £  'P(D)  are  ordered 
as  usual  by  the  Egli- Milner  order.  For  (S,  — >,  |)  define  a  :  5  — ♦  V(S)  by,  for  all 
a  €  5, 

<*(s)  =  {s'  €  S  j  a  — *  s'}  U  {J-newG  (S)x  I  s  T}- 
An  ordered  V- bisimulation  (R,0)  on  (5,  a), 


0\  >i  *2  \P 


V(R) - -  V(S)  - - V(R) 

P(*i)  V(*i) 

satisfies  for  all  s,  t  £  S  with  sRt,  and  for  all  s',  t'  £  S, 
if  a  — >  s'  then  3 t'  £  S,  t  — >  t'and  s' Rt'\ 

if  a  l  then  ( t  j  and  if  t  — *  t'  then  3s'  £  S,  s  — >  s'and  s' Rt'  ). 

(Relations  satisfying  these  two  conditions  are  called  partial  bisimulations  in 
[Abr91].)  For  suppose  sRt  and  s  — >  s'.  By  the  i  jfinition  of  a,  s'  £  a(s)  = 
ooin(s,t),  and  because  of  >i,  also  s'  £  V(iri)(0((s,t)).  Thus  there  exists  t'  £  S 
with  ( a',t ')  €  /3((s,t)),  satisfying  s'Rt'\  *2  implies  t‘  £  a(t)  whence  t  — » t' . 

Next  suppose  s  J..  Thus  ±new£  a(s)  and  hence  J_new£  7?(iri)(/9((s,  t)),  by 
>1  and  the  definition  of  the  Egli-Milner  order.  By  the  definition  of  7>(ir1)  it 
follows  that  J_new£  /?((s,t))  (since  for  any  X  C  (5)xi  'P{tt i)(A)  contains  J_new 
iff  X  does).  Thus  by  *21  <*(t)  does  not  contain  lnew.  that  is,  t  j.  Further  suppose 
t  — ►  t1.  By  *2,  there  is  s'  €  S  with  (s',t')  £  0((s,t )).  By  >1  and  the  fact  that 
01(3)  does  not  contain  -Lnew  (nor  -L5),  it  follows  that  s'  £  a(s),  thus  s  — »  s'. 

Conversely,  any  relation  R  C  S  x  5  (not  involving  ±5)  satisfying  the  two 
above  conditions  can  be  turned  into  a  'P-coalgebra  (T,/3)  by  defining 

T=RU({J_s}x5) 

and  0  :T  —*  V(T)  by,  for  all  sTt, 

/?((«,  t))  =  {(s',*')  G  T  |  s  — *  s'  and  t  -*  t1  and  s' Rt'} 

U  {(±s,*')  €  T  |  s  T  and  t  —  t'} 

U  {-Lnew€  (T’)x  I  a  f  and  t  T} 

It  is  left  to  the  reader  to  verify  that  (T,  0)  is  an  ordered  P-bisimulation.  □ 


i 
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5  A  structural  co-induction  theorem 

Next  we  formulate  and  prove  the  main  theorem  of  this  paper.  (The  definitions 
of  some  of  the  categorical  and  order-theoretic  notions  used  here,  can  be  found 
in  the  Appendix.) 

Theorem  8.  Let  F  :  CPO  — >  CPOj_  be  a  locally  continuous  functor.  Let  (A,  a) 
be  an  F-coalgebra.  Then  of  the  following  six  statements,  (1),  (2),  (2‘),  (4)  and 
(5)  are  equivalent  and  all  imply  (3).  If  F  moreover  weakly  preserves  ordered 
kernel  pairs  then  all  statements  are  equivalent. 

1.  (A,  a)  is  a  final  F-coalgebra. 

2.  a  is  epi;  and  for  any  F-coalgebra  (B,f3)  and  coalgebra  homomorphism  e  : 
(A,  a)  — *  (B,/3):  if  e  is  epi  then  it  is  an  isomorphism: 


F(A) - ►-  F(B) 

F(e) 


2’.  As  2.,  but  with  epi  replaced  by  dense-epi,  twice. 

3.  a  is  dense-epi  and  (A,  a)  is  order  strongly- extensional;  that  is,  if  C*  is  the 
order  on  A  then 

Qa=  C  A  x  A  |  R  is  an  ordered  F -bisimulation  on  (A,  a)  }. 

4.  a  is  an  isomorphism  and  1  a  =  fsh.  a-1  o  F(h)  o  a  ( the  least  fixed  point). 

5.  (A,  a)  is  maximally-final:  it  is  a  final  F-coalgebra  and  for  any  F-coalgebra 
(B,  (3)  the  unique  coalgebra  homomorphism  e  :  (A,  a)  —*  (B,/3)  is  maximal 
among  the  lax-homomorphisms  between  (A,  a)  and  (B,/3);  that  is,  for  any 
f  :  B  —*  A,  ifotofK  F(f)  o  (3  then  f  <  e. 

Schematically: 

1  O  2  O  2  »  4  «  5  ^  3, 

3  +  F  weakly  preserves  ordered  kernel  pairs  =>  2  . 

Proof: 

(1)  =>  (2):  By  Proposition  2,  a  is  an  isomorphism  and  hence  epi.  Consider  an 
epi  e  :  A  — ►  B  and  suppose  e  :  (A,  a)  — *  (B,  0)  is  a  coalgebra  homomorphism. 
Since  (A,  a)  is  final  there  exists  a  unique  h  :  (B,(3)  — *  (A,  a).  Thus  both  1  a  and 
hoe  are  arrows  from  (A, a)  to  itself.  By  finality  hoe  =  1  a-  From 

(eo/i)oe=eo(/ioe) 

=  eolA 

=  lfioe 


\ 
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and  the  fact  that  e  is  epi,  it  follows  that  e  o  h  =  1  g. 

(2)  =>  (1)  :  First  we  observe  that  a  is  an  isomorphism,  which  follows  from 
applying  (2)  to  the  following  diagram  (note  that  here  the  fact  is  used  that  a  is 
epi): 


A - - - ~F(A) 


a 


* 


F(a) 


F(A)  - •-  F(F(i4)) 

F(a) 


Let  (D,t_1)  be  the  initial  F-algebra  from  Theorem  4.  We  saw  (Theorem  5)  that 
(D,i)  is  a  final  Fp-coalgebra  (in  CPOp).  Since  a  is  an  isomorphism  it  is  also  a 
projection,  hence  there  exists  a  projection  e  :  A  — *  D,  which  (by  the  construction 
of  D)  is  also  an  arrow  of  coalgebras  e  :  (A,  a)  — >  (D,  i).  Now  every  projection  is 
epi  and  by  applying  (2),  e  can  be  seen  to  be  an  isomorphism.  Because  (£>,  t)  is 
a  final  F-coalgebra  in  CPO ± — again  by  Theorem  5 — and  (A,  a)  and  (D,i)  are 
isomorphic  coalgebras,  it  follows  that  also  (vl,  a)  is  a  final  F-coalgebra. 

(1)  (2')  :  Inspection  of  the  above  two  implications  tells  us  that  their  proofs 

remain  valid  when  epi  is  replaced  by  dense-epi. 

(1)  =>  (4)  :  The  finality  of  (j4,  a)  implies  that  a  is  an  isomorphism.  Since  F 
is  locally  continuous  the  function  \h.a~1  o  F(h)  oa  is  continuous.  Define  g  = 
fih.  a~1oF(h)oa.  It  is  immediate  that  aog  =  F(g)oa,  thus  g  :  [A,  a)  — *  (4,  a). 
By  finality,  g  ~  1A- 

(4)=*(2)  :  Since  a  is  an  isomorphism  it  is  also  epi.  Consider  an  epi  e  :  ( A ,  a)  — * 
We  prove  that  e  is  an  isomorphism.  Let  g  =  fih.  a-1  o  F(h)  o  (3.  Then 
aog  —  F(g)  o  (3,  and  we  have  the  following  diagram: 


B 


0 


e 


* 


B 

0 


F(B)  - -  F{A) - ~  F(B) 

F(g)  F(e) 


Next  we  show  that  joe  =  1^  from  which  it  follows — as  in  the  proof  of  “(1)  => 
(2)” — that  e  o  g  =  1^,  using  the  fact  that  e  is  epi.  First  we  prove  joe  <  1^, 
using  the  fixed-point  definition  of  g: 

•  (Ah  €  B.  -Lj^)  o  e  =  Aa  £  A.  1^- 

•  Suppose  j  o  e  <  1^,  then 

a-1  o  F(g)  o (3oe  —  ce-1  o  F(g)  o  F(e)  o  a 
=  a-1  o  F(g  o  e)  o  a 

<  u 
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since,  by  assumption,  g oe  <  1a,  and  the  facts  that  a  is  an  isomorphism  and 
F  is  locally  (continuous  and  hence)  monotonic. 

Next  we  shall  use  1a  =  nh.  a-1  o  F(h)  o  a  from  (4)  to  prove  1a  <  g  o  e: 

•  Xa  €  A.  ±a<  ff  °e- 

•  Suppose  h  <  g  oe.  Then 

a-1  o  F(h)  o  a  <  (since  F  is  locally  monotonic) 
a-1  o  F(g  o  e)  o  a 
=  a-1  o  F(g)  o  F(e)  o  a 
=  a-1  o  F(g)  o/3  o  e 
=  a'1ooojoe 

=  g  oe. 

(1)  =>  (5)  :  Let  /  :  (B,P)  — *  (A,  a)  be  a  lax-homomorphism.  By  Proposition  2, 
a  is  an  isomorphism.  Define  a  sequence  of  functions  from  B  to  A  inductively  by 

eo  =  /, 

e„+i  =a_1of’(e„)o/3. 

Then  (e„)„  is  a  chain  (/  <  a-1  o  F(f)  o  (3  because  /  is  a  lax-homomorphism) 
and  its  least  upperbound  e  satisfies 

e  =  |_|c„ 

=  U«_1  o  F(e n)°/3 
=  (by  local  continuity  of  F) 
a_1op’(|Jen)o/3 
=  a-1  o  F(e)  o  /3. 

Hence  e  is  the  unique  coalgebra  homomorphism  from  ( B,f3 )  to  (A,  a).  It  follows 
from  the  definition  of  e  that  /  <  e. 

(5)  =>■  (1)  :  trivial. 

(4)  =»  (3)  :  The  fact  that  a  is  an  isomorphism  implies  that  it  is  dense-epi.  We 
have  to  show  that 

Ca=  C  A  x  A  |  R  is  an  ordered  F-bisimulation  on  (A,  a)  }. 

The  inclusion  from  left  to  right  follows  from  the  fact  that  Ca  is  an  ordered 
F-bisimulation  on  (A,  a):  First  observe  that  Cl  a,  with  the  inherited  order  from 
A  x  A,  is  a  cpo.  Next  define  A  :  A  — *Ca  by.  for  all  a  €  A,  A(a)  =<  a,  a  >  and 
p  :Ca— *  F(Ca)  by 

P  =  F(A)  O  Q  O  7T2. 
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Then  {Qa,0)  is  an  ordered  F-bisimulation  on  (A, a): 

*i  *2 

□a  -  A  —  - Ca 


A 

A 

p 

> 

a  * 

•  F(A) 

’  F(A) 

F(CX)  F{A)  ^=r  F(CA) 

F(i Tx)  F(ir3) 


since 

a  o  vx  =  (because  o  A  =  1a) 

F(irx  o^joaori 
<  F(ri)  o  F(A)  o  a  o  *2 
=  F(*i)op, 

and 

a  o  t2  =  F(ir2  od)oaor2 

=  F(r2)o0. 

Conversely,  consider  an  ordered  F-bisimulation  (R,0)  on  (A,  a): 


R 


*1  .  *2 
- -  A  - - 


R 


0 


> 


a 


* 


0 


F(R) - -  F(A)  - -  F(R) 

F(ir  i)  F(*2) 


We  prove  R  C  Cx  or  rather,  equivalently,  xj  <  tt2.  We  use  fixed-point  induction 
on  1a  (which  by  (4)  is  equal  to  ph.  a-1  o  F(k)  o  a)  to  show  1a  °  *i  < 

•  (Aa  6  A.  ±a)  o»i  <  x2. 

•  Suppose  ho  tr i  <  ?r2.  Then 

a-1  o  F(h)  o  a  o  xi  <  a-1  o  F(h)  o  F(ir2)  o  0 
—  a-1  o  F(h  o  ?r j )  o/3 

<  (because  h  o  tti  <  7r2  and  F  is  locally  monotonic) 
a-1  o  F(tt2)  0  P 
=  a-1  o  a  o  x2 
=  tt2 


(S)  =>  (2')  :  We  prove  this  implication,  from  which  the  equivalence  of  (1)  —  (5) 
follows,  under  the  assumption  that  F  weakly  preserves  ordered  kernel  pairs. 

By  assumption  a  is  dense-epi.  Consider  a  homomorphism  of  coalgebras  e  : 
(.A,  a)  — *  (B,f3)  and  suppose  e  is  dense-epi.  We  shall  prove  that  e  is  an  isomor¬ 
phism.  Define 

Rt  =  {(a,  a')  €  A  x  A  |  e(a)  C  c(a')}. 

The  continuity  and  the  strictness  of  e  imply  that  Rt  is  a  cpo.  Below  it  is  shown 
that  it  can  be  extended  to  an  F-coalgebra  (Re,y),  such  that  (Re,y)  is  an  ordered 
F-bisimulation  on  (A,  a).  Then  from  the  order  strong-extensionality  of  (A,  o)  it 
follows  that  Rt  CCA.  Hence  e  is  a  strict  order-monic  and  since  e  is  also  dense-epi, 
it  is  an  isomorphism  (see  the  Appendix). 

For  the  existence  of  an  arrow  y  :  Rt  — *  F(Re)  the  assumption  that  F  weakly 
preserves  ordered  kernel  pairs  will  be  used. 


Re  - ►  A 


Since  (i?e,x i,ir2)  is  an  ordered  kernel  pair  for  e,  (F(Re),  F(ni),  F(ir2))  is  by 
assumption  a  weak  ordered  kernel  pair  for  F(e).  Now 

F(e)  oaoiri  =  /?oeoiri 
<  (3  o  e  o  ir2 
=  F(e)  o  a  o  tt2, 

from  which  the  existence  of  an  arrow  y  :  Re  — >  F(RC),  with  a  o  tj  <  F(iri)  o 
and  a  oir2  =  F(ir2)  o  y  follows.  Thus  Re  is  an  ordered  F-bisimulation. 

The  fact  that  the  final  F-coalgebra  (D,  i)  from  Theorem  4  is  order  strongly- 
extensional  was  already  proved  in  [RT93].  (The  proof  given  there  makes  explicit 


□ 


I 
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use  of  the  way  D  is  constructed  (as  the  projective  limit  of  its  defining  w-chain).) 
The  equivalence  of  finality  and  maximal-finality  ((1)  and  (5))  is  due  to  [Plo91]. 

The  main  contribution  of  the  above  theorem  is  the  proof  of  (3)  =>  (2), 
showing — for  functors  that  weakly  preserve  ordered  kernel  pairs — that  coalge¬ 
bras  are  final  if  they  are  strongly  extensional.  Most  functors  (lifting,  sum  and  so 
on)  weakly  preserve  ordered  kernel  pairs. 

Note  that  for  locally  continuous  functors  on  CPO±  there  always  exists  an 
arrow  from  any  F-coalgebra  to  an  F-coalgebra  (A,  a)  for  which  a  is  an  isomor¬ 
phism.  For  such  functors,  therefore,  a  final  coalgebra  is  completely  determined 
by  the  uniqueness  part  in  the  definition  of  finality.  This  explains  why  order 
strong-extensionality  can  be  shown  to  be  equivalent  to  finality. 

Clearly,  the  clauses  (1),  (2)  and  (4)  are  fairly  straightforward  dualizations 
of  the  corresponding  clauses  in  Plotkin’s  induction  theorem  (repeated  here  as 
Theorem  10  in  the  appendix).  The  proofs  of  the  equivalence  of  (1)  and  (2),  and  of 
the  implications  (1)  =?  (4)  and  (4)  =>  (2)  are  immediate  from  the  corresponding 
parts  in  the  proof  of  the  induction  theorem.  Clause  (3)  above  cannot  be  seen  as 
a  dualization  of  any  of  the  clauses  of  Theorem  10.  For  a  further  remark  on  this 
poin  see  Section  8. 

6  Ordered  final  semantics 

Final  coalgebras  are  furthermore  characterized  by  the  following  theorem,  which 
shows  that  they  present  a  natural  way  of  modelling  bisimulation. 

Theorems.  Let  F  :  CPOx  — *  CPOx  be  a  locally  continuous  functor,  and 
suppose  that  F  weakly  preserves  ordered  kernel  pairs.  Let  (A,  a)  be  a  final  F- 
coalgebra  and  let  f  :  (B,(3)  — ►  (A,  a)  be  a  coalgebra  homomorphism  (which  is 
unique  by  finality  of  ( A ,  a)).  For  all  b,  b'  £  B, 

b\ZFb'<*  /(b)  CA  f(b'). 

Proof: 

From  left  to  right:  consider  b,b'  6  B  with  b  QF  b'.  Let  (i?,  7)  be  an  ordered 
F-bisimulation  on  ( B,(3 )  with  bRb'.  From 


F(R) - -  F(B)  - -  F{A)  - - F(B)  - -  F(R) 

F(*  1)  F(f)  F(f)  F(ir2) 

it  follows  that  /  o  tj  is  a  lax-homomorphism  from  (#,7)  to  (A,  a)  and  that 
/otj  is  the  (by  finality  of  (A,  a))  unique  coalgebra  homomorphism  from  (R,  7) 


I 
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to  (A,  a).  It  follows  from  Theorem  8  (clause  (5))  that  f  o  *x  <  {  o  k2.  Thus 

m  qa  nn 

As  in  the  proof  of  (3)  =>  (2')  in  Theorem  8,  it  can  be  shown  that  the  ordered 
kernel  pair 

Rt={(b,b')eBxB\f(b)QAf(b')} 

of  /  can  be  extended  to  an  ordered  F- bisimulation  (Rj,  y)  on  (B,0)  (using  the 
i  fact  that  F  weakly  preserves  ordered  kernel  pairs),  from  which  the  implication 

!  from  right  to  left  follows.  □ 

r 

r 

The  unique  arrow  /  :  (B,0)  —*  (A,  a)  could  be  called  (having  in  mind,  e.g.,  a 
transition  system  represented  by  (B,  /3))  the  ordered  final  semantics  for  (B,0). 
i  Cf.  the  final  semantics  of  [Acz88,  R.T93],  where  symmetric  F-bisimulations  are 

used. 

The  above  theorem  can  be  seen  as  yet  another  characterization  of  final  coal¬ 
gebras,  since  its  reverse  also  holds:  if  (A,  a)  is  an  F-coalgebra  such  that  for  all 
coalgebra  homomorphisms  /  :  (B,f3)  — >  (A,  a)  and,  for  all  b,  b1  £  B, 

bnFb'&  f(b)  Qa  f(b'), 

then  (A,  a)  is  a  final  F-coalgebra.  Take  (A,  a)  for  (£,/3)  and  1^  for  /  to  see  that 
(A,  a)  is  order  strongly-extensional  (using  in  addition  the  fact  that  is  itself 
an  ordered  F-bisimulation);  by  Theorem  8,  (A,  a)  is  final. 

Example  1,  continued.  Let  N  be  the  set  of  natural  numbers  with  the  usual  order¬ 
ing  and  extended  with  a  top  element  u,  and  let  <f>  :  N  — ►  (N)x  be  the  obvious  iso¬ 
morphism.  Then  (N,  <f>)  is  a  final  coalgebra  of  the  functor  (-)j.  :  CPO±  — *  CPOx  ■ 
For  a  deterministic  partial  transition  system  (5,  — ►),  represented  as  a  (  )i- 
coalgebra  (5,  o),  the  final  semantics  /  :  (5,  a)  — *  (N,  4>)  maps  a  state  s  6  S 
to  the  natural  number  (possibly  u>)  corresponding  to  the  number  of  transition 
steps  that  can  be  taken  starting  in  s.  □ 

l  Example  2,  continued.  The  functor  V  :  CPOx  — >  CPOx,  which  takes  a  cpo 

D  to  the  Plotkin  powerdomain  (with  empty  set)  of  (D) x  is  locally  continuous 
(see  [Plo81])  and  has  by  Theorem  5  a  final  coalgebra  ( P,ip ).  By  Theorem  8,  we 
know  that  (P,  rp)  is  order  strongly-extensional,  thus  finding  back  (an  “unlabelled” 
version  of)  Proposition  3.10  from  [Abr91].  Since  V  can  be  shown  to  preserve 
weakly  ordered  kernel  pairs,  Theorem  9  applies.  Thus  for  the  final  semantics 
/  :  (5,  a)  — » (P,V0  of  a  nondeterministic  transition  system  (5,  — |),  represented 
as  the  "P-coalgebra  (S,  a),  we  have  for  all  s,t  €  S, 

sdPtt*  f(s)  Cp  /(t), 


sometimes  called  the  full  abstractness  of  /.  (Similar  results  are  obtained  in 
[Abr91]  by  means  of  Stone  duality.)  □ 
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7  Metric  spaces 

In  [AM89],  bisimulations  are  defined  as  coalgebras  (R,(3)  (in  a  category  of 
classes)  for  which  both  projections  and  *2  are  coalgebra  homomorphisms 
(not  only  *2).  For  such  symmetric  bisimulations,  the  category  of  complete  met¬ 
ric  spaces  offers  a  suitable  framework  as  well.  It  has  been  studied  in  great  detail 
in  [RT93].  In  this  section,  we  shall  point  out  that  the  preceding  co-induction 
theorem  also  applies  to  metric  spaces,  and  next  use  the  resulting  theorem  to 
prove  some  properties  of  a  metric  hyperuniverse. 

Let  CMS  be  the  category  with  (1-bounded)  complete  metric  spaces  ( D,do ) 
as  objects  and  non-expansive  (non-distance-increasing)  functions  as  arrows.  (For 
basic  facts  on  metric  spaces  see,  e.g.,  [Eng89].)  Horn  sets  in  CMS  are  themselves 
complete  metric  spaces,  using  as  a  metric  on  arrows  the  usual  pointwise  exten¬ 
sion.  A  functor  F  on  CMS  is  locally  contracting  if  there  exists  e  with  0  <  e  <  1 
such  that,  for  all  D,  E,  the  mapping  Fd,e  is  a  contraction  with  factor  e.  In 
[RT93],  it  is  shown  (extending  earlier  results  of  [AR89])  that  every  locally  con¬ 
tracting  functor  F  has  a  unique  fixed  point  which  is  both  an  initial  F-algebra 
and  a  final  F-coalgebra. 

A  ‘metric  version’  of  Theorem  8  is  obtained  by  dropping— both  in  the  formu¬ 
lation  of  the  theorem  and  in  its  proof — the  word  ‘order(ed)’  everywhere;  consid¬ 
ering  in  clause  (3)  only  symmetric  bisimulations;  replacing  in  clause  (4)  the  least 
fixed-point  characterization  of  Ia  by  the  statement  that  it  is  the  unique  fixed 
point;  and  by  dropping  clause  (5)  (the  notion  of  lax- homomorphism  does  not 
make  sense  in  a  metric  setting).  Note  that  the  definitions  of ‘weakly  preserving 
kernel  pairs’  and  ‘dense-epi’  can  be  adapted  straightforwardly.  The  proof  can 
be  almost  literally  copied:  the  proof  of  (4)  =>  (2)  becomes  somewhat  simpler 
because  of  the  uniqueness  of  1^;  and  in  the  proof  of  (3)  =>  (2'),  the  kernel  pair 
of  /  should  be  taken  rather  than  the  ordered  kernel  pair. 

Examples.  Let  Vc  :  CMS  —*  CMS  be  defined  by,  for  all  (D,do)  E  CMS, 

VC(D)  =  {A’  C  D  |  X  is  compact  (w.r.t.  do)  }• 

(The  metric  on  VC{D)  is  the  so-called  Hausdorff  metric.)  For  every  e  with 
0  <  e  <  1,  the  ‘shrinking’  functor  id,  is  given  by,  for  any  (D,  do), 

idt((D,dD))  =  (D,edD). 

Clearly  id,  is  locally  contracting.  Taking  the  composition  Vc  °  id,  (which  we 
shall  by  abuse  of  notation  again  denote  by  Vc)  yields  again  a  locally  contractive 
functor.  Thus  there  exists  a  fixed  point 

y.H*Vc(H), 

and  ( H ,  7)  is  a  final  Pe-coalgebra.  □ 

Because  the  metric  space  H  is  isomorphic  to  the  collection  of  its  compact  subsets 
(note  the  presence  of  the  ‘metric  shrinker’  id,,  though),  it  is  an  instance  of  a 


hyperuniverse.  (See  [FH92]  for  a  general  construction  of  hyperuniverses,  and 
[FH83]  and  [Acs88]  for  a  hyperuniverse  based  on  a  non-standard  collection  of 
axioms.  Cf.  [Abr88,  MM089,  Rut91].)  By  putting,  for  p,p'  6  H, 

p'  €h  P  =  P1  €  t(p), 

H  can  be  easily  seen  to  contain  all  so-called  hereditarily  finite  sets  and  their 
limits  (with  respect  to  the  metric  on  H).  Note  that  these  limits  need  not  be 
hereditarily  finite  themselves. 

As  pointed  out  in  [Abr88],  the  standard  axioms  of  set  theory  hold  in  JET, 
with  topological  versions  of  separation,  replacement  and  choice.  By  (the  metric 
version  of)  Theorem  8,  strong  extensionality  can  be  added  to  these  axioms:  two 
sets  in  H  are  equal  if  and  only  if  they  are  'Pc-bisimilar.  E.g.,  for  p,q  €  H  with 
(omitting  the  isomorphism  -y) 

P  =  {P>.  4  =  {«>. 

p  =  q  follows  from  the  fact  that  {(p,  9)}  is  a  'Pc-bisimulation  on  H. 

8  Conclusion 

As  was  observed  above,  the  characterization  of  final  coalgebras  in  terms  of  strong 
extensionality  (clause  (3)  of  Theorem  8)  does  not  have  a  dual  counterpart  among 
the  clauses  of  the  structural  induction  theorem  (Theorem  10  in  the  Appendix). 
However,  the  latter  theorem  can  be  extended  with  a  fifth,  equivalent  clause 
that  comes  close  to  being  the  dual  of  clause  (3)  of  Theorem  8,  as  follows.  An 
F -congruence  on  an  F -algebra  (A,  a)  is  an  F-algebra  (R,  /?)  with  R  a  relation 
on  A  such  that  the  projections  ^,*2  :  (R, /3)  — <■  (A,  a)  are  homomorphisms  of 
F-algebras.  This  definition  generalizes  the  standard  notion  of  a  congruence  on  E- 
algebras.  Note  that  it  is  dual  to  the  definition  of  symmetric  bisimulation.  Clauses 
(1)  through  (4)  of  Theorem  10  can  be  shown  to  be  equivalent  to  the  following 
statement:  there  exists  :  F(A)  — *  A  (with  A  =  {(a,  a')  £  A  x  A  |  a  =  a'}) 
such  that  (A,f3)  is  the  smallest  F-congruence  on  (A,  a). 
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9  Appendix 

Some  categorical  notions 

Let  C  be  a  category.  An  arrow  m  :  A  — ►  B  is  called  monic  if  for  any  two  arrows 
f,g  :  D  —*  A  the  equality  mo  f  —  mo  g  implies  f  —  g.  An  arrow  e  :  A  — *  B  is 
called  epi  if  for  any  two  arrows  f,g:B—>D  the  equality  f  o  e  —  g  o  e  implies 
/  =  9- 

A  kernel  pair  (see  [Lan71])  for  an  arrow  /  :  B  — ♦  C  in  C  consists  of  an  object 
A  and  a  pair  of  arrows  h  :  A  — »  B  and  k  :  A  — >  B  such  that  /  o  h  —  f  o  k,  and 
such  that  for  any  other  object  A'  and  arrows  h'  :  A'  — *  B  and  k'  :  A'  — >  B  with 
/  oh'  —  f  o  k',  there  exists  a  unique  arrow  e  :  A'  — >  A  satisfying  h'  =  hoe  and 
k'  —  k  o  e: 

A' 


f 

Ordered  kernel  pairs 

In  C  =  CPO±,  the  above  definition  can  be  generalized  as  follows.  An  ordered 
kernel  pair  for  a  function  /  :  B  — *  C  in  CPO  j_  consists  of  a  epo  A  and  a  pair  of 
functions  h  :  A  —*  B  and  k  :  A  — *  B  such  that  /  o  h  <  f  o  k,  and  such  that  for 
any  other  epo  A'  and  functions  h'  :  A'  — *  B  and  k'  :  A'  —>  B  with  f  oh'  <  f  ok' , 
there  exists  a  unique  arrow  e  :  A'  — *  A  satisfying  h'  —  h  o  e  and  k'  =  k  o  e. 

The  epo  A  with  functions  h  and  k  is  called  a  weak  ordered  kernel  pair  for 
/  if  for  any  other  epo  A'  and  functions  h'  :  A'  —*  B  and  k'  :  A'  — *  B  with 
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f  o  h!  <  /  o  Jb',  there  exists  an  arrow  e  :  A'  — ►  A  (not  necessarily  unique) 
satisfying  h1 2  <  hoe  (rather  than  h'  =  hoe)  and  k'  =  k  oe. 

A  functor  F  :  CPO±  —*  CPOx  weakly  preserves  ordered  kernel  pairs  if  it 
transforms  ordered  kernel  pairs  for  functions  /  into  weak  ordered  kernel  pairs 
for  F(f). 


Some  further  order-theoretic  notions 

Let  D  be  a  cpo  and  consider  a  continuous  function  /  :  D  — *  D.  (That  is,  / 
preserves  least  upperbounds  of  w-chains.)  Then  /  has  a  least  fixed  point,  which 
is  denoted  by  fix.  f(x). 

A  subset  P  C  D  is  called  w-inductive  if  every  chain  (xn)n  in  P  has  its  least 
upperbound  in  P. 

The  following  is  called  the  principle  of  fixed-point  induction.  Let  /  :  D  — >  D 
be  continuous  and  let  P  C  D  be  w-inductive.  Then 

(_L€  P  A  (V*  e  D[x  e  P  =>  /(*)  6  P])  =>  (fix.  /(*))  6  P 

A  strict  order-monic  (see  [Plo81])  is  a  strict  continuous  function  (in  CPOx) 
m  :  A  —*  B  such  that  for  any  two  arrows  /,  g  :  D  — »  A  the  inequality  mo/  <  mog 
implies  /  <  g.  It  is  easy  to  see  that  m  is  a  strict  order-monic  if  and  only  if,  for 
till  a,  a'  €  A, 

a  C  a  m(a )  C  m(a). 

A  strict  continuous  function  e  :  A  — *  B  is  dense-epi  if  it  is  epi  and  moreover 
satisfies  ci(e(A))  =  B,  where  c/(e(A))  is  the  least  subset  of  B  that  contains  e(A) 
and  that  is  closed  under  least  upperbounds  of  w-chains.  (In  fact  the  condition 
ci(e(A))  =  B  can  be  shown,  by  transfinite  induction,  to  imply  the  fact  that  e  is 
epi.  See  [LP82]  for  an  explanation  why  “Epis  need  not  to  be  dense”.) 

If  m  :  A  — ►  B  is  both  a  strict  order-monic  and  dense-epi,  then  m  is  an 
isomorphism:  m(A)  =  cl(m(A))  since  e  is  a  strict  order-monic,  and  c/(m( A))  = 
B,  since  e  is  dense-epi.  Thus  e  is  a  bijective  order-embedding. 


The  structural  induction  theorem 

In  [Plo81]  (Theorem  4  of  Chapter  5),  the  following  theorem  is  proved.  (See  also 
[LS81]  for  a  similar  result.) 

Theorem  10.  Let  F  :  CPOx  — ►  CPOx  be  a  locally  continuous  functor  which 
preserves  inclusions.  (That  is,  if  t  :  A  C  B  then  F(c)  :  F(A)  C  F(B).)  Let  a  : 
F(A)  — »  A  be  an  F -algebra.  Then  the  following  four  statements  are  equivalent: 

1.  (A,  a)  is  an  initial  F -algebra. 

2.  a  is  a  strict  order-monic,  and  for  every  strict  order-monic  m  :  B  — *  A:  if 
there  exists  (3  :  F(B)  — »  B  such  thatm  :  (B,f3)  — >  (4,  a)  is  a  homomorphism 
of  algebras  (i.e.,  m  o  (3  =  a  o  F(m)J,  then  m  is  an  isomorphism. 
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S.  a  is  a  strict  order-monic,  and  for  every  w-inductive  P  C  A  the  following 
principle  of  structural  induction  holds: 

(i.6  P  A  (V*  €  F(4)[*  6  F(P)  =>  a(*)  G  P]))  =>  P  —  A 

4.  a  is  an  isomorphism  and  1a  -  ph..  a  o  F(h)  o  a-1. 

The  assumption  that  F  preserves  inclusions  is  only  used  to  prove  the  equiv¬ 
alence  of  (2)  and  (3).  This  property  is  satisfied  by  most  covariant  functors. 
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Abstract.  A  new  metric  domain  of  processes  is  presented.  This  do¬ 
main  is  located  in  between  two  metric  process  domains  introduced  by 
De  Bakker  and  Zucker.  The  new  process  domain  characterizes  the  col¬ 
lection  of  image  finite  processes.  This  domain  has  as  advantages  over 
the  other  process  domains  that  no  complications  arise  in  the  definitions 
of  operators  like  sequential  composition  and  parallel  composition,  and 
that  image  finite  language  constructions  like  random  assignment  can  be 
modelled  in  an  elementary  way.  As  in  the  other  domains,  bisimilarity 
and  equality  coincide  in  this  domain. 

The  three  domains  are  obtained  as  unique  (up  to  isometry)  solutions  of 
equations  in  a  category  of  1-bounded  complete  metric  spaces.  li_  ae  case 
the  action  set  is  finite,  the  three  domains  are  shown  to  be  equal  (up  to 
isometry).  For  infinite  action  sets,  e.g.,  equipollent  to  the  set  of  natural 
or  real  numbers,  the  process  domains  are  proved  not  to  be  isometric. 


Introduction 

In  semantics,  a  process  is  usually  understood  as  a  behaviour  of  a  system.  Labelled 
transition  systems  have  proved  to  be  suitable  for  describing  the  behaviour  (or 
operational  semantics)  of  a  system  (cf.  [Plo81]).  A  labelled  transition  system 
can  be  viewed  as  a  rooted  directed  graph  of  which  the  edges  are  labelled  by 
actions  (cf.  [BK87]),  or  as  a  tree  of  which  the  edges  are  labelled  by  actions, 
which  is  obtained  by  unfolding  the  graph.  The  semantic  notion  of  a  process  is 
usually  defined  by  means  of  a  suitable  behavioural  equivalence  over  the  labelled 
transition  systems.  Bisimilarity  (cf.  [Par81])  is  commonly  accepted  as  the  finest 
behavioural  equivalence  over  labelled  transition  systems  (cf.  [Gla90,  Gla93j). 

In  this  paper,  processes  are  studied  from  the  point  of  view  of  denotational 
semantics.  In  the  literature,  domains  of  processes  are  found  for  several  mathe¬ 
matical  structures.  For  complete  partial  orders,  process  domains  are  presented 
by  Milne  and  Milner  in  [MM79],  and  Abramsky  in  [Abr91].  Aczel  introduces  in 
[Acz88]  a  process  domain  for  non- well-founded  sets.  For  complete  metric  spaces, 
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process  domains  are  presented  by  De  Bakker  and  Zucker  in  [BZ82,  BZ83],  and 
Golson  and  Rounds  in  [GR83,  Gol84], 

Aczel  shows  in  [Acz88]  that  processes  can  be  viewed  as  labelled  transition 
systems.  Bisimulation  relations  on  these  labelled  transition  systems  induce  bisim¬ 
ulation  relations  on  the  processes.  A  process  domain  is  called  strongly  extensional 
(or  internally  fully  abstract)  if  bisimilarity  -  being  the  largest  bisimulation  re¬ 
lation  -  coincides  with  equality,  i.e.  processes  are  bisimilar  if  and  only  if  they 
are  equal.  Abramsky  and  Aczel  prove  that  their  process  domains  are  strongly 
extensional.  The  process  domains  introduced  by  De  Bakker  and  Zucker  in  [BZ82] 
and  [BZ83]  are  shown  to  be  strongly  extensional  by  Van  Glabbeek  and  Rutten 
in  [GR89]  and  [Rut92]. 

The  metric  process  domains  introduced  by  De  Bakker  and  Zucker  in  [BZ82] 
and  [BZ83],  which  will  be  denoted  by  Py  and  P2  in  the  sequel,  and  a  third  n 
process  domain,  which  will  be  denoted  by  P3,  are  studied  in  detail  in  this  paj 
Processes  can  be  viewed  as  trees  (both  finite  and  infinite  in  depth)  of  which  t; 
edges  are  labelled  by  actions,  and  which  are  absorptive,  i.e.  for  all  nodes  of  a 
tree  the  collection  of  subtrees  of  that  node  is  a  set  instead  of  a  multiset,  and 
commutative.  For  example,  the  tree 


/i\ 

a  a  a 

/  I  \ 


h 


/l\ 

h 


/  \ 


is  not  a  process,  and 


/  \ 

a  a 

/  \ 

i 

«> 

1 


is  the  process  obtained  by  absorption.  Furthermore,  the  processes 


/  \ 


h 


/ 


are  identified  by  commutativity.  The  processes  are  endowed  with  a  metric  such 
that  the  distance  between  processes  decreases  if  the  maximal  depth  at  which  the 
truncations  of  the  processes  coincide  increases.  All  processes  considered  in  this 
paper  are  closed  with  respect  to  this  metric.  For  example,  the  process 


*  * 

i 

a 

+ 
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including  the  infinite  branch  is  closed  in  contrast  with  the  process  not  containing 
this  infinite  branch. 

A  process  is  called  finitely  branching  if  each  node  has  only  finitely  many 
outgoing  edges.  A  process  is  called  image  finite  if,  for  each  action,  each  node  has 
only  finitely  many  outgoing  edges  labelled  with  that  action.  A  finitely  branching 
process  is  image  finite,  but  an  image  finite  process  is  in  general  not  finitely 
branching.  For  example,  the  process 


i)  (ij  (i<) 

/  ♦ 


is  image  finite  but  not  finitely  branching. 


is  an  example  of  a  general  (or  unrestricted)  process  being  not  finitely  branching 
nor  image  finite.  The  process  domains  Pi,  P?,  and  P3  can  be  shown  to  correspond 
to  the  collections  of  (finite  in  depth  find) 

•  general  processes, 

•  finitely  branching  processes,  and 

•  image  finite  processes. 

For  example,  the  correspondence  between  the  process  domain  P3  and  the  col¬ 
lection  of  image  finite  processes  of  finite  depth  will  be  accomplished  as  follows. 
First,  the  space  of  image  finite  processes  of  finite  depth  is  completed.  In  this  way, 
a  complete  metric  space  of  (finite  and  infinite  in  depth)  processes  is  obtained. 
Second,  the  completed  space  is  shown  to  be  isometric  to  the  process  domain  P3. 

The  three  process  domains  can  be  related  in  the  following  way.  The  process 
domain  P2  can  be  isometrically  embedded  in  the  process  domain  P3  and  the 
process  domain  P3  can  be  isometrically  embedded  in  the  process  domain  P\. 
If  the  action  set  is  finite,  then  the  three  process  domains  can  be  shown  to  be 
isometric.  If  the  action  set  is  infinite,  e.g.,  equipollent  to  the  set  of  natural  or 
real  numbers,  then  it  can  be  demonstrated  that  the  three  process  domains  are 
not  isometric. 

For  Pi-processes,  complications  arise  in  the  definitions  of  the  following  oper¬ 
ators: 

•  sequential  composition  (cf.  [BZ82,  BM88]), 

•  parallel  composition  (cf.  [BZ82,  BM88,  ABKR89,  AR92]), 

•  trace  set  as  defined  by  De  Bakker  et  al.  in  [BBKM84],  and 
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•  fairification  as  defined  by  Rutten  and  Zucker  in  [RZ92]. 

For  example,  it  is  not  possible  to  give  a  (denotational)  definition  of  the  sequen¬ 
tial  composition  of  Pi-processes,  which  coincides  with  the  operational  definition 
of  the  sequential  composition.  (Note  that  processes  can  be  viewed  as  labelled 
transition  systems.)  In  [BM88],  the  sequential  composition  of  Pi- processes  is 
not  well-defined.  The  definition  of  the  sequential  composition  in  [BZ82]  is  well- 
defined,  but  does  not  coincide  to  the  operational  one.  It  can  be  shown  that  these 
complications  do  not  arise  in  the  definitions  of  the  operators  mentioned  above 
on  P%-  and  P3-processes. 

Unlike  the  process  domain  P2,  the  process  domain  P3  makes  an  elementary 
semantic  modelling  of  image  finite  language  constructions  like  random  assign¬ 
ment  possible  (cf.  [Bre94]).  (For  a  detailed  overview  of  metric  semantic  models 
the  reader  is  referred  to  [BR92].) 

Novel  in  the  present  paper  are 

•  the  process  domain  P3,  which  can  be  shown  to  correspond  to  the  class  of 
image  finite  processes  and  to  be  strongly  extensional, 

•  the  detailed  comparison  of  the  process  domains  Pi,  P2,  and  P3  showing  that 
the  three  process  domains  are  isometric  if  the  action  set  is  finite  and  that 
they  are  not  isometric  for  infinite  action  sets,  and 

•  the  relation  of  the  process  domains  Pi,  P2,  and  P3  with  the  classes  of  general, 
finitely  branching,  and  image  finite  processes,  extending  results  concerning 
the  process  domains  Pi  and  P2  of  [BZ82]  and  [BZ83]. 

In  the  first  section  of  this  paper,  some  preliminaries  concerning  metric  spaces 
can  be  found.  In  the  second  section,  the  three  process  domains  are  introduced. 
In  the  third  section,  the  correspondence  between  Pi-,  P2-,  and  P3-processes  and 
general,  finitely  branching,  and  image  finite  processes  is  studied.  The  process 
domains  are  related  as  described  above  in  the  fourth  section.  In  the  fifth  section, 
the  process  domains  are  shown  to  be  strongly  extensional.  In  the  sixth  section, 
some  complications  arising  in  the  definition  of  the  sequential  composition  of 
Pi-processes  are  pinpointed.  Furthermore,  it  is  shown  that  these  complications 
do  not  arise  in  the  definition  of  this  operator  on  P3-processes.  The  other  three 
operators,  viz  parallel  composition,  trace  set,  and  fairification,  are  considered  in 
[Bre94]. 

In  this  paper,  several  definitions  from  other  papers  have  been  modified  slightly 
to  stress  the  correspondence  with  the  other  definitions. 

1  Metric  spaces 

Some  preliminaries  concerning  metric  spaces  are  presented.  Only  some  nonstan¬ 
dard  notions,  i.e.  notions  which  are  not  found  in  the  main  text  of  [Eng89],  are 
introduced. 

Contractive  functions,  which  are  called  contractions,  are  introduced  in 
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Definition  1.  Let  ( X,dx )  and  ( X',dX' )  be  metric  spaces.  A  function 
/  :  X  — *  X'  is  called  contractive  if  there  exists  an  £,  with  0  <  £  <  1,  such 
that,  for  all  x  and  x', 

dx1  (/  (*)>  /  (*'))  <e  dx  (x,  x'). 

These  contractions  play  a  central  role  in 

Theorem  2  (Banach’s  theorem).  Let  (X,dx)  be  a  complete  metric  space.  If 
f  :  X  — *  X  is  a  contraction  then  f  has  a  unique  fixed  point  fix  (/).  For  all  x, 

lim  /*  (x)  =  fix  (f) 

n 

where 

f°  (x)  =  x  and  /n+1  (x)  =  /  (/"  (x)). 

Proof.  See  Theorem  II.6  of  [Ban22].  □ 

In  this  paper,  several  recursive  definitions  are  presented  (cf.  Definition  12, 
14,  15,  22,  and  24).  Banach’s  theorem  can  be  used  to  prove  the  well-definedness 
of  these  definitions  (cf.  [KR90]). 

The  embeddings  to  be  introduced  in  Section  4  will  be  defined  by  means  of 
nonexpansive  functions. 

Definitions.  Let  (X,dx)  and  (X1  ,dX')  be  metric  spaces.  A  function 
/  :  X  — ♦  X'  is  called  nonexpansive  if,  for  all  x  and  x', 

dX<  (/  (x),  /  (x'))  <  dx  (x,  x'). 

2  Three  process  domains 

Three  process  domains  are  presented.  These  process  domains  are  defined  by 
means  of  recursive  domain  equations. 

In  [AR89],  America  and  Rutten  present  a  category  theoretic  technique  to 
solve  recursive  domain  equations.  The  objects  of  the  category  are  1-bounded 
complete  metric  spaces.  With  a  domain  equation  a  functor  is  associated.  If  this 
functor  satisfies  certain  conditions,  then  it  has  a  unique  fixed  point  (up  to  isom¬ 
etry)  which  is  the  intended  solution  of  the  domain  equation. 

The  recursive  domain  equations,  by  which  the  process  domains  are  defined, 
are  built  from  an  action  set  A ,  which  is  endowed  with  the  discrete  metric,  and 
the  constructions  described  in 

Definition  4.  Let  (X,dx)  and  ( X',dXi )  be  1-bounded  complete  metric  spaces. 
A  metric  on  the  Cartesian  product  of  X  and  X',  X  x  X',  is  defined  by 

dxxX'  ((x,x'),(x,x'))  =  max  {  dx  ( x,x),dx •  (x',x')}. 

A  metric  on  the  collection  of  functions  from  X  to  X',  X  — *  X',  is  defined  by 
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dx~X'  (/,  /')  =  sup  {  dx>  (/  (x),  /'  (*))  |  i  €  X  }. 

A  new  metric  on  X  is  defined  by 
did^(X)  ( xi x  )  =  2  ^X  (x,  x  )• 

The  Hausdorff  metric  on  the  set  of  closed  subsets  of  X ,  V,,i  ( X ),  and  on  the  set 
of  compact  subsets  of  X,  Vco  (X),  is  defined  by 

dp(X)  (^>  B)  =  max  {sup {  inf  {  dx  (x, x')  j  x'  6  B  }  |  x  €  A  }, 

,  sup  {  inf  {  dx  (x,  x')  \  x'  &  A}  \  x  G  B  }} 

where  sup  0  =  0  and  inf  0  =  1. 

The  three  process  domains  are  introduced  in 

Definitions.  The  process  domains  Pi,  P2 ,  and  P3  are  defined  by  the  recursive 
domain  equations 

Pi  —  'Pel  (A  x  *di(Pi)) 

P2^Vco{Axid](P2)) 

P3  —  A  —>  Vm  («**(/*,)) 

Processes  as  described  in  the  introduction  can  be  represented  by  elements  of 
these  process  domains.  For  example,  the  process 

/  \ 

a  h 

/  \ 

is  represented  by  the  P\-  and  P2-process 

'  {(a,0),  (6,0)} 

and  by  the  P3- process 

^  1  f  {Aa"  .  0}  if  a'  =  a  or  a1  =  b 
‘  (  0  otherwise 

The  process 

/  \ 

a  a. 

/  \ 

i 

h 

+ 

is  represented  by  the  Pi-  and  P2-process 

{(«.{(*,•)}),  («,0» 


and  by  the  P$- process 

v  <  f  {Po.Pi}  if  a'  =a 
'  ^  0  otherwis 


where 


-"{r 


0}  if  a"  =  b 
otherwise 


Pi  =  A  a"  .  0. 

Not  every  process  can  be  represented  in  all  three  process  domains.  In  Sec¬ 
tion  4,  we  will  show  that  the  process  domain  P3  is  located  in  between  Pi  and 
P2,  i.e.  P2  can  be  isometrically  embedded  in  P3  and  P3  can  be  isometrically 
embedded  in  P\. 


Next,  processes  in  the  shaded  regions  of  the  above  picture  are  presented.  The 
process 

«2  *  *  * 

^  /  + 


is  represented  by  the  Pi-process 
{  (ant  0)  |  n  G  IN  }. 

However,  this  is  not  a  P2-process,  because  the  above  set  is  closed  but  not  com¬ 
pact.  The  process  is  also  represented  by  the  P3-process 


\ 


► 


I 


r 


i 

i 


The  process 
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if  a'  =  o„  for  some  n 
otherwise 


i  a  a. 

/  + 


«<) 

♦  I  f 

is  represented  by  the  Pi-process 
{  (a>  {(°«>  ®)})  |  n  €  IN  }. 

Again,  this  is  not  a  P2-process,  because  the  above  set  is  not  compact.  The  process 
can  also  not  be  represented  by  a  Pa-process.  The  obvious  candidate 


Xa  /  (?«  I  n  €  ^  }  if  a>  ~  a 
'  \  0  otherwise 


where 


_  „  f  {Aa"' .  0}  if  a"  —  an 

P™  °  1 0  otherwise 

is  not  a  P3-process,  since  the  set 

{  pn  |  n  €  IN  } 

is  not  compact. 


3  Finite  processes 

The  three  process  domains  are  related  to  certain  collections  of  finite  (in  depth) 
processes.  It  is  demonstrated  that  Pi*,  P2-,  and  P3-processes  correspond  to  gen¬ 
eral,  finitely  branching,  and  image  finite  processes,  respectively. 

The  set  of  processes  of  finite  depth  is  introduced  in 

Definitions.  The  set  P*  of  processes  of  finite  depth  is  defined  by 

^r  =  U{pininSlN} 

where 

pn  _  J  W  if  n  =  0 

1  \  V  {A  X  P”-1)  otherwise 

Obviously,  each  P*-process  is  a  Pi-process.  The  Pj’-processes  are  endowed 
with  the  restriction  of  the  metric  on  the  Pi -processes.  The  obtained  metric  space 
is  not  complete.  For  example,  the  sequence  (pn)n  of  P^-processes  defined  by 


Ill 


_  (  0  if  n  =  0 

Pn  ~  \  {(a,pn_i)}  otherwise 

is  a  Cauchy  sequence  but  does  not  have  a  limit  in  P'  (the  sequence  converges 
to  a  process  of  infinite  depth).  The  metric  completion  of  the  metric  space  of 
Pi -processes,  which  is  denoted  by  P^,  is  shown  to  be  isometric  to  the  process 
domain  Pi  in 

Theorem  T.  Pf  S'  Pt. 

Proof.  See  Theorem  2.11  of  [BZ82],  □ 

The  set  of  finitely  branching  processes  of  finite  depth  is  introduced  in  the 
following  definition,  in  which  Vfi  denotes  the  set  of  all  finite  subsets. 

Definitions.  The  set  P2  of  finitely  branching  processes  of  finite  depth  is  defined 

by 

p;  =\J{P?\n£W} 
where 

p«  f  {0}  if  n  =  0 

2  \Vfi(A  x  P£  *)  otherwise 

Similarly,  the  metric  completion  of  the  metric  space  of  P2 -processes  is  proved 
to  be  isometric  to  the  complete  metric  space  of  P2-processes  in 

Theorem  9.  P2  =i  P2. 

Proof.  See  Theorem  3.2  of  [BZ83].  □ 

The  set  of  image  finite  processes  of  finite  depth  is  introduced  in 
Definition  10.  The  set  P3  of  image  finite  processes  of  finite  depth  is  defined  by 

**3  =U{P3n|neIN> 

where 

pn  _  /  •  0}  if  n  =  0 

3  (P3n_1)  otherwise 

The  process  domain  P3  can  be  shown  to  be  isometric  to  the  metric  completion 
of  the  metric  space  of  P3 -processes. 

Theorem  11.  P3  9i  P3. 

Proof.  Similar  to  the  proofs  of  the  Theorems  7  and  9.  □ 


4  Comparison  of  the  process  domains 

The  three  process  domains  are  related.  It  is  shown  that  the  process  domain  P2 
can  be  isometrically  embedded  in  the  process  domain  P3  and  that  the  process  do¬ 
main  P3  can  be  isometrically  embedded  in  the  process  domain  P\ .  Furthermore, 
if  the  action  set  A  is  finite,  then  the  process  domain  Pi  can  be  isometrically 
embedded  in  the  process  domain  P2  such  that  the  diagram 

id 


p ^ 


id  id 

commutes.  Consequently,  if  the  action  set  A  is  finite,  then  the  process  domains 
Pi,  P2,  and  P3  are  isometric.  If  the  action  set  A  is  infinite,  then  it  can  be  proved 
that  the  process  domains  Pi,  P2,  and  P3  are  not  isometric. 

The  embedding  ii  from  the  process  domain  P2  to  the  process  domain  P3  is 
introduced  in 

Definition  12.  The  embedding  ii  :  P2  — »  P3  is  defined  by 
*1  (?)  =  Ao  ■  {  *i  (p')  |  (a,p')€p}. 

In  order  to  prove  the  well-definedness  of  the  above  recursive  definition  of  the 
embedding  ii ,  a  so-called  higher-order  transformation  is  introduced  in 

Definition  13.  The  higher-order  transformation 

:  (Pi  -1  ft)  -  (ft  P3) 

is  defined  by 

(V’)Cp)  =  Aa  •  { i/>  (p)  |  (a,  p)  €  p  }. 

In  order  to  be  well-defined,  the  higher-order  transformation  is  restricted 
to  nonexpansive  functions,  i.e. 

€  (P2  -l  P3)  -  (P2  -1  P3). 

(The  collection  of  nonexpansive  functions  from  P2  to  P3,  P2  — +1  P3,  endowed 
with  the  restriction  of  the  metric  on  functions  from  P2  to  P3  is  a  complete 
metric  space.)  Although  only  continuity,  which  is  implied  by  nonexpansiveness, 
is  needed  in  the  well-definedness  proof  of  the  higher-order  transformation  IP*, , 
the  restriction  induces  half  of  the  proof  that  the  embedding  i\  is  isometric  (see 
below).  This  higher-order  transformation  IP*,  can  be  shown  to  be  contractive 
(here  the  id  1  in  the  domain  equation  of  process  domain  P3  is  crucial).  According 
to  Banach’s  theorem  (cf.  Theorem  2),  the  higher-order  transformation  if'i,  has  a 
unique  fixed  point  which  is  the  intended  embedding  1 1 ,  i.e. 


Consequently,  i i  €  P2  — *l  P3.  To  show  that  the  embedding  21  is  isometric  it  is 
left  to  prove  that,  for  all  p  and  p', 

d(*i  (p).*i  (p'))  >d(p,p')- 

This  can  be  demonstrated  by  fixed  point  induction  using  Banach’s  theorem. 

The  embedding  i2  from  the  process  domain  P3  to  the  process  domain  P\  is 
introduced  in 

Definition  14.  The  embedding  22  :  P3  — >  Pi  is  defined  by 
*2  (p)  =  {(«,  h  (p'))  |  p'  €  p(a)}. 

As  the  embedding  ii,  also  the  embedding  i2  can  be  shown  to  be  well-defined 
and  isometric. 

Assume  the  action  set  A  is  finite.  Then  the  process  domain  Pi  can  be  isomet- 
rically  embedded  in  the  process  domain  P2.  The  embedding  23  from  the  process 
domain  Pi  to  the  process  domain  P2  is  introduced  in 

Definition  15.  The  embedding  23  :  Pi  — >  P2  is  defined  by 

*3  (p)  =  {  («,  h  (p'))  I  (a.p')  €  p  }■ 

Also  this  embedding  can  be  shown  to  be  well-defined  by  means  of  a  higher- 
order  transformation.  In  the  well-definedness  proof  of  the  higher-order  trans¬ 
formation  the  compactness  of  the  process  domain  Pi  is  exploited.  The  process 
domain  Pi  is  compact,  since  the  solution  of  a  recursive  domain  equation  built 
from  1-bounded  compact  metric  spaces  (e.g.,  the  finite  action  set  A  endowed 
with  the  discrete  metric),  P,-i  ,  x,  and  id).  is  a  1-bounded  compact  metric  space 
as  is  proved  in  [BW93]. 

The  embedding  23  can  also  be  shown  to  be  isometric.  Furthermore,  it  can  be 
demonstrated  that  the  above  diagram  commutes.  For  example,  it  can  be  proved 
that 

d  (23  o  i2  o  2i ,  id)  <  j  •  d  (23  o  i2  o  t‘i ,  id) 

and  hence  23  o  i'2  o  21  =  id.  As  a  consequence,  the  process  domains  Pi,  P2,  and 
P3  are  isometric. 

Theorem  16.  If  A  is  finite,  then  P\  =  P2,  P2  =  P3,  and  Pi  =  P3. 

Assume  the  action  set  is  infinite.  More  precisely,  assume  A  is  equipollent  to 
2  t  n,  for  some  n,  where  2  f  n  is  defined  in 

Definition  17.  The  sets  2  |  n  are  defined  by 

_  J  IN  if  n  =  0 

L  T  ”  ~  \  22T(n_1)  otherwise 
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p  —>p'  if  and  only  if  p'  €  p(a). 

Also  the  process  domain  P3  can  be  shown  to  be  strongly  extensional. 

Theorem  21.  P3  is  strongly  extensional. 

Proof.  Similar  to  the  proofs  of  the  Theorems  19  and  20.  □ 

6  Sequential  composition 

Some  complications  arising  in  the  definition  of  the  sequential  composition  of  Pi- 
processes  are  pinpointed.  Furthermore,  it  is  shown  that  these  complications  do 
not  arise  in  the  definition  of  the  sequential  composition  of  P3-processes. 

In  Definition  4.4  of  [BM88],  the  sequential  composition  of  Pj- processes  is 
defined  by 

Definition  22.  The  operator  ;  :  Pi  x  Pi  — ►  Pi  is  defined  by 

/  _  f  p'  if  p  =  0 

P  ’  P  1  {  («,?"  i  P')  I  (“,  p")  €  p  }  otherwise 

This  definition  coincides  with  the  operational  definition  of  the  sequential  com¬ 
position.  (Note  that  processes  can  be  seen  as  labelled  transition  systems.)  How¬ 
ever,  the  above  definition  is  not  well-defined,  as  Warmerdam  ([War90])  showed 
(cf.  Appendix  A). 

Also  in  Definition  2.14  of  [BZ82],  the  sequential  composition  of  Pi-processes 
is  defined. 

Definition  23.  For  a  finite  process  p,  p  ;  p'  is  defined  as  in  Definition  22,  and 
for  an  infinite  process  p, 

p  \p'  =  lim  (p  [n] ;  p') 

n 

where  p  [n]  denotes  the  truncation  of  process  p  at  depth  n. 

This  definition  is  well-defined.  However,  the  above  definition  does  not  co¬ 
incide  with  the  operational  definition  of  the  sequential  composition  (cf.  Ap¬ 
pendix  A). 

For  P3-processes,  the  sequential  composition  is  defined  in 
Definition  24.  The  operator  ;  :  P3  x  P3  — *  P3  is  defined  by 

1  _(  P1  if  p  as  Xa  ■  0 

’  ^  \  Xa  ■  {  p"  ;  p'  |  p"  €  p  (a)  }  otherwise 


The  well-definedness  of  the  above  definition  of  the  sequential  composition 
can  be  proved  along  the  lines  of  the  well-definedness  proof  of  the  embedding  j! 
in  the  fourth  section  of  this  paper. 

Also  in  the  definitions  of  the  operators  parallel  composition,  trace  set,  and 
fairification  on  Pi -processes  similar  complications  arise  (cf.  [BK87,  BBKM84, 
Bre94]).  These  complications  do  not  arise  in  the  definitions  of  the  operators  on 
P3- processes  (cf.  [Bre94]).  Also  process  domain  P2  does  not  give  rise  to  these 
complications  (cf.  [KR90]).  However,  unlike  process  domain  P3,  process  domain 
P2  does  not  allow  an  elementary  modelling  of  image  finite  language  constructions 
like  random  assignment  (cf.  [Bre94]). 

Concluding  remarks 

In  this  concluding  section,  some  related  work  is  discussed  and  some  points  for 
further  research  are  mentioned. 

A  fourth  process  domain  P4  defined  by  the  recursive  domain  equation 
P4^A->Vrl(idk(P4))  is  considered  in  [Bre94].  The  process  domain  P4  can 
be  shown  to  be  isometric  to  the  process  domain  Px  (independent  of  the  size  of 
the  action  set  A). 

An  alternative  metric  process  domain  is  introduced  by  Golson  and  Rounds  in 
[GR83,  Gol84].  The  processes  are  Milner’s  rigid  synchronization  trees  endowed 
with  a  pseudometric.  The  pseudometric  is  induced  by  the  (strong)  behavioural 
equivalence  relation  introduced  in  [Mil80j.  This  behavioural  equivalence  relation 
and  the  bisimilarity  equivalence  relation  considered  in  Section  5  do  not  coincide 
(cf.  [Mil90]).  Golson  and  Rounds  show  that  their  process  domain  is  isometric 
to  the  process  domain  Pi  in  case  the  action  set  is  finite  or  countably  infinite 
(for  the  countably  infinite  case,  the  power  set  construction  used  in  the  domain 
equation  defining  Pi  should  be  restricted  to  the  collection  of  countable  subsets). 

In  [01e87],  Oles  defines  a  denotational  semantics  for  a  nonuniform  language 
with  the  so-called  angelic  choice  operator.  The  mathematical  domain  of  this  de¬ 
notational  semantics  is  defined  as  the  solution  of  a  recursive  domain  equation 
over  bounded  complete  directed  sets.  For  a  uniform  language  with  the  conven¬ 
tional  choice  operator,  the  mathematical  domain  defined  by  the  recursive  domain 
equation  P  ==  A  — *  Vfi  (P)  has  been  suggested  ([01e92]).  This  domain  equation 
shows  some  resemblance  with  the  domain  equation  for  process  domain  P3 . 

Some  topics  for  further  research  are  the  study  of  the  process  domains  Pj ,  P2 , 
and  P3  with  the  action  set  endowed  with  an  arbitrary  complete  metric  instead 
of  the  discrete  metric,  and  process  domains  corresponding  to  general,  finitely 
branching,  and  image  finite  processes  for  complete  partial  orders  and  non-well- 
founded  sets. 
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A  Warmerdam ’s  counterexample 

Warmerdam  ([War90])  showed  that  the  sequential  composition  of  Pi -processes 

as  defined  in  Definition  4.4  of  [BM88]  (cf.  Definition  22)  is  not  well-defined  by 

proving  that  the  set 


{(a,p";p')|(a,p")€p} 
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is  in  general  not  closed.  Here,  Warmerdam’s  counterexample  is  presented.  Fur¬ 
thermore,  this  counterexample  is  used  to  illustrate  that  the  sequential  composi¬ 
tion  as  defined  in  Definition  2.14  of  [BZ82]  (cf.  Definition  23)  does  not  correspond 
to  the  operational  definition  of  the  sequential  composition. 

Let  Pi-process  p  be  defined  by 

P  =  {(a>P«)  I  n  €  IN  } 

where 

P«  =  {bn,  (ao.  0),  •  •  • ,  (a«-i,  0),  (<»„,  {(c,  0)}),  (an+l,  0), . . .} 

and 

.  n  _  /  (&>  0)  if  n  =  0 

\  (6,  {6n_1 })  otherwise 

This  Pt-process  p  is  depicted  by 


h 


Let  Pi-process  p'  be  defined  by 
p  =  {limcn}. 

n 

This  Pi-process  p'  is  depicted  by 

i 

r. 

i 

n 

I 

According  to  Definition  4.4  of  [BM88]  (cf.  Definition  22),  the  sequential  compo¬ 
sition  of  the  Pi-processes  p  and  p'  is  defined  by 

p;p'  =  {(o,p")  |  n  €  IN} 
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where 


Pn  =  {*>"  -.p'.foO.pO.K.P').-  } 

and 

/(6>P')  if  n  =  0 

'**  \  (6,  {6n“l  ;  p'})  otherwise 

This  process  p  ;  p‘  is  depicted  by 


However,  p  ;p'  is  not  a  Pi -process,  since  the  set  p ;  p'  is  not  closed.  The  set  p  ;p' 
contains  the  Cauchy  sequence  (( a,p"))„  but  not  its  limit  (o,p")  where 

p"  =  {lim6“,(a0,p'),(ai,p'),  ■••} 

71. 

which  is  depicted  by 


I 


+ 

b  o.  o  nti  *2 

/  I  \ 


b  r.  c  c 

+  *  +  + 

I  I  I  I 

h  e  c  r. 

+  +  +  + 

i  i  i  i 

bene 

+  1  +  1 


The  above  counterexample  also  shows  that  the  limit  construction  in  the  def¬ 
inition  of  the  sequential  composition  presented  in  Definition  2.14  of  [BZ82]  (cf. 
Definition  23)  adds  unexpected  subprocesses;  the  limit  construction 
limn  (p[n]  ;p')  adds  subprocess  (a,p"). 
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Abstract.  Semantic  models  are  presented  for  two  simple  imperative 
languages  with  higher  order  constructs.  In  the  first  language  the  inter¬ 
esting  notion  is  that  of  second  order  assignment  x s,  for  x  a  procedure 
variable  and  a  a  statement.  The  second  language  extends  this  idea  by 
a  form  of  higher  order  communication,  with  statements  c  !  a  and  c  ?  x, 
for  c  a  channel.  We  develop  operational  and  denotations!  models  for 
both  languages,  and  study  their  relationships.  Both  in  the  definitions 
and  the  comparisons  of  the  semantic  models,  convenient  use  is  made  of 
some  tools  from  (metric)  topology.  The  operational  models  are  based  on 
(SOS-style)  transition  systems;  the  denotational  definitions  use  domains 
specified  as  solutions  of  domain  equations  in  a  category  of  1-bounded 
complete  ultrametric  spaces.  In  establishing  the  connection  between  the 
two  kinds  of  models,  fruitful  use  is  made  of  Rutten’s  processes  as  terms 
technique.  Another  new  tool  consists  in  the  use  of  metric  transition  sys¬ 
tems,  with  a  metric  defined  on  the  configurations  of  the  system.  In  ad¬ 
dition  to  higher  order  programming  notions,  we  use  higher  order  defini¬ 
tional  techniques,  e.g.,  in  defining  the  semantic  mappings  as  fixed  points 
of  (contractive)  higher  order  operators.  By  Banach’s  theorem,  such  fixed 
points  are  unique,  yielding  another  important  proof  principle  for  our 
paper. 


Introduction 

In  recent  years,  the  study  of  higher  order  programming  notions  has  become  a 
central  topic  in  the  field  of  semantics.  Seminal  in  this  development  have  been 
two  schools  of  research,  viz.  that  of  (typed)  A-calculus  in  the  area  of  functional 
programming  (see,  e.g.,  [Bar92]  for  a  survey  of  the  current  situation),  and  that 
of  higher  order  processes  in  the  theory  of  concurrency  (see,  e.g.,  [AR87,  Tho90, 
MPW92]).  ([LTLG92]  can  be  used  for  a  quick  overview  of  much  of  the  relevant 
literature.)  The  aim  of  the  present  paper  is  to  provide  another  perspective  on 
this  problem  area  by  studying  higher  order  notions  embedded  in  the  traditional 
setting  of  imperative  languages.  First,  we  study  second  order  assignment:  the 
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statement  x  :=  s,  for  x  a  procedure  variable  and  s  a  statement,  assigns  s  to  x. 
In  the  operational  semantics,  this  is  modelled  by  storing  (the  syntactic  entity) 
s  in  the  current  ‘syntactic’  state.  Denotationally,  the  (function  which  is  the) 
meaning  of  s  is  stored  in  the  ‘semantic’  state.  The  second  notion  we  study 
is  second  order  communication.  Recall  that  in  a  CSP-  or  occam-like  language 
value-passing  communication  is  expressed  by  the  two  actions  c  !  e  and  civ 
occurring  in  two  parallel  components  (c  a  channel,  e  some  expression,  and  v  an 
individual  variable),  and  synchronised  execution  of  these  actions  results  in  the 
transmission  of  the  current  value  of  e  to  v.  A  second  order  variant  of  this  is  the 
pair  of  communication  constructs  c !  s  and  cl  x  (c,  s,  and  x  as  above).  Now  a 
higher  order  value  is  passed  at  the  moment  of  synchronised  execution:  in  the 
operational  semantics,  we  pass  s  (again  a  syntactic  object);  denotationally,  the 
meaning  of  s  is  transmitted. 

Though  these  notions  are,  we  hope,  conceptually  quite  simple,  a  not  so  simple 
arsenal  of  semantic  tools  is  necessary  to  make  the  ideas  just  sketched  precise, 
and  to  obtain  a  full  picture  of  the  relationships  between  the  operational  (O) 
and  denotational  (V)  models.  In  both  kinds  of  models,  topological  techniques 
play  an  essential  role.  More  specifically,  we  work  in  a  category  of  1-bounded 
complete  ultrametric  spaces,  and  a  variety  of  functors  on  this  category  is  used 
to  specify  the  domains  we  work  with.  (This  type  of  domain  equations  originated 
with  [BZ82];  the  general  theory  is  due  to  [AR89].  See  also  [BR92]  for  many 
further  applications.) 

For  reasons  of  presentation,  in  addition  to  the  languages  with  higher  order  as¬ 
signment  (i CM2  )  and  communication  (£,.„,  )  we  also  discuss  two  simpler  languages 
with  only  first  order  assignment  (£„.,)  and  communication  (£„„),  respectively. 
This  allows  a  more  leisurely  development  of  the  machinery:  in  particular,  we  are 
able  to  demonstrate  in  a  simple  setting  another  higher  order  phenomenon  which 
is  pervasive  in  this  paper,  viz.  the  use  of  (contractive)  higher  order  mappings  in 
both  the  definition  and  the  comparison  of  semantic  meaning  functions.  Each  of 
the  O' s  or  D's  to  be  defined  is  obtained  as  (unique)  fixed  point  of  some  higher 
order  mapping  or  By  the  uniqueness  property,  in  order  to  establish 
O  =  T>,  it  suffices  to  show,  e.g.,  that  $o  (D)  =  V. 

The  definition  of  each  of  the  O' s  follows  the  customary  pattern  in  that  it  is 
derived  from  some  (SOS-style)  transition  system  ([PI08I]).  Mostly,  these  systems 
are  finitely  bmnching ,  a  property  on  which  the  compactness  of  the  resulting  sets 
of  meanings  is  based.  However,  in  the  comparative  study  of  £„„2  we  need  a 
generalisation  to  compactly  branching  transition  systems.  This  is,  in  turn,  based 
on  an  extension  of  the  metric  framework  consisting  in  the  introduction  of  a 
metric  on  the  configurations  of  the  transition  system  (rather  than  only  having  a 
metric  based  on  the  standard  distance  between  sequences  of  actions  generated 
by  successive  transitions). 

The  key  idea  in  the  semantic  analysis  of  £„,2  is  the  introduction  of  both  syn¬ 
tactic  and  semantic  states,  and  of  a  suitable  mapping  linking  the  two.  Whereas 
the  syntactic  states  are  an  immediate  extension  of  those  used  for  £M,  the  set  of 
semantic  states  requires  a  system  of  (reflexive)  domain  equations  for  its  specifi- 
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cation.  Once  the  appropriate  definitions  have  become  available,  a  concise  (state* 
ment  and)  proof  of  the  relationship  between  O  and  V  is  possible,  thanks  to  the 
rather  powerful  general  methodology. 

The  first  order  language  Crn  is  a  fairly  typical  language  with  imperative  con¬ 
currency.  Our  design  of  O  for  Cr„  exhibits  only  some  mild  variations  compared 
with  the  traditional  approach.  The  denotational  V  is  based  on  a  ‘branching 
time’  process  domain  P  of  the  ‘nonuniform’  variety  (processes  have  a  functional 
dependence  on  the  state).  It  is  not  difficult  to  show  (and  implicit  in  [BZ82]) 
that  P  is  strongly  extensional :  with  a  slight  adaptation  of  the  usual  definition  of 
bisimilarity,  we  have  that  bisimilarity  on  P  coincides  with  identity.  The  various 
semantic  operators  on  P  may  as  well  be  defined  by  higher  order  techniques.  The 
relationship  between  O  and  T>  for  Ccn  involves  a  trace  mapping  from  the  deno¬ 
tational  ‘branching  time’  to  the  operational  ‘linear  time’  domain:  among  others, 
the  branching  structure  is  collapsed,  and  failing  attempts  at  communication  are 
deleted  (and  deadlock  is  delivered  if  no  ‘proper’  action  remains). 

The  paper  culminates  in  the  semantic  study  of  Cc„2 ,  bringing  a  synthesis  of 
many  of  the  earlier  techniques.  The  denotational  domain,  albeit  rather  complex 
due  to  the  use  of  three  domain  equations,  allows  an  appealingly  simple  deno¬ 
tational  definition.  This  domain  can  also  be  shown  to  be  strongly  extensional 
(with  some  higher  order  generalisation  of  the  bisimilarity  definition,  cf.,  e.g., 
[AGR92,  MS92]).  More  work  is  needed  to  link  O  and  V.  First,  an  idea  already 
used  for  Cr„,  viz.  to  design  a  variant  of  O  delivering  results  in  the  denotational 
domain,  is  applied  again.  However,  for  Cc„2  a  complication  arises,  inducing  the 
appearance  of  ‘processes  as  terms’  ([Rut92]).  Also,  this  is  the  point  where,  as  sig¬ 
nalled  earlier,  a  compactly  branching  transition  system  appears,  a  notion  which 
presupposes  a  metric  on  the  configurations  ([Bre94]).  In  the  final  stage  of  the 
proof  relating  O  and  V,  a  lemma  relating  the  transitions  of  both  the  original 
system  (on  which  O  for  Ccn2  is  based)  and  of  the  extended  system  (in  which  the 
configurations  may  involve  semantic  processes)  provides  the  key  technical  step. 

In  the  final  section,  the  paper  summarises  the  relationships  between  O  and  T> 
for  the  four  languages  considered.  We  see  as  one  of  the  achievements  of  our  paper 
the  transparency  of  the  successive  refinements,  going  from  the  simple  O  =  T> 
result  for  to  the  more  elaborate  theorem  for 

We  conclude  this  introduction  with  some  remarks  on  related  work.  The  idea 
to  handle  second  order  assignment  x  s  through  the  storing  of  a  pair  (x,  s)  in 
the  (syntactic)  state  is  close  to  the  explicit  substitution  (in  the  framework  of  the 
A-calculus)  of  [Cur88,  ACCL90],  albeit  that  some  stack-like  nesting  of  states  - 
omitted  in  this  paper  not  to  overload  the  presentation  -  would  be  needed  to  allow 
a  full  correspondence.  The  language  Ccn2  should,  after  some  massaging  of  the 
specific  operator  for  parallelism,  be  able  to  at  least  model  a  key  part  of  Thomsen’s 
CHOCS  ([Tho89,  Tho90]),  viz.  that  sublanguage  which  he  uses  to  encode  the 
lazy  A-calculus.  However,  a  precise  statement  and,  especially,  a  full  proof  of  this 
claim  demands  a  lot  of  further  work.  Other  connections  to  explore  include  the 
relationships  with  the  x-calculus  ([MPW92,  Mil92]),  the  higher  order  ir-calculus 
([San92,  San93]),  and  the  7-calculus  ([Bou89,  BB92],  cf.  also  [JP90]).  In  the  ir- 


calculus,  channel  names  are  transmitted  rather  than  processes,  so  an  immediate 
correspondence  is  not  to  be  expected.  For  another  reason,  the  same  holds  for  the 
7-calculus:  the  notion  of  sequential  composition  used  there  is  essentially  different 
from  ours. 

1  A  sequential  language  with  assignment 

The  first  language  we  discuss,  viz.  £a,,  is  quite  simple,  and  chosen  especially  to 
illustrate  the  use  of  higher  order  techniques  in  defining  and  relating  semantic 
models.  Also,  it  prepares  the  way  for  the  more  interesting  language  with  second 
order  assignment  considered  in  the  next  section.  For  CaA ,  we  shall  define  both  O 
(operational)  and  T>  (denotations] )  semantics  as  (unique)  fixed  point  of  a  suitable 
contractive  mapping  l.  Banach’s  theorem2  applies,  since  all  spaces  involved  are 
complete.  The  semantics  O  and  V  shall  be  related  by  showing  that  both  are 
fixed  points  of  the  same  contractive  mapping. 

Let  (u  e)/Var,  (x  €)  PVar  be  alphabets  of  individual  and  procedure  vari¬ 
ables.  Let  (e  €)  Exp  be  a  class  of  simple  expressions  (syntax  left  unspecified). 

Definition  1.  The  language  Ca,  is  defined  by 

s  ::=  w:=e|s;s|s  +  s|x|px  [s]. 

The  prefix  fix  binds  occurrences  of  procedure  variable  x.  Our  semantic  defini¬ 
tions  will  throughout  be  given  for  closed  constructs  (no  free  procedure  variables) 
only.  To  define  the  operational  semantics  we  shall  use  transition  systems.  The 
configurations  of  the  transition  system  are  pairs  of  resumptions  and  states. 

Definition  2.  The  class  Resi  of  resumptions  is  defined  by 

r  ::=  E  |  s  :  r. 

The  set  State  i  of  states  is  defined  by 
(< x  €)  State i  =  IVar  —*  Val, 
for  (a  €)  Val  some  set  of  values. 

The  (empty)  resumption  E  will  be  used  to  denote  termination.  The  state 
(r{ot/v)  has  value  a  in  ti  and  equals  a  elsewhere.  Let  V  (e)(cr)  denote  the  value 
of  expression  e  in  state  a.  Let  s{s'/x}  denote  syntactic  substitution  of  statement 
s'  for  the  free  occurrences  of  procedure  variable  x  in  statement  s.  The  transition 
system  T\  is  introduced  in 

1  Let  (X,dx)  and  (X',dx')  be  metric  spaces.  A  function  /  :  X  — *  X'  is  called  con¬ 
tractive  if  there  exists  an  e,  with  0  <  e  <  1,  such  that,  for  all  x  and  x' , 

dX‘  (/  (z),  /  (s'))  <  «  •  dx  (a,  x). 

2  Let  ( X,dx )  be  a  complete  metric  space.  If  /  :  X  — *  X  is  contractive  then  /  has  a 
unique  fixed  point  fix(f)  (cf.  [Ban22]). 
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Definitions.  The  transition  relation  — *  of  T\  is  the  smallest  subset  of 
(Reai  X  Statei)  X  (Res\  X  Statei)  satisfying  the  rules  given  below.  A  rule  of 
the  form 

if  [n,  ffi]  -+  [r,  c r]  then  [r2,  <r2]  -*  [r,  a] 
will  be  abbreviated  to 
[»"2.  <*2]  ~ *o  [ri>  ®i]; 

the  0-subscript  indicates  that  we  have  here  a  zero-step  transition. 


(1) 

[v:=e:  r, 

— »  [r,  <j{a/v }],  where  a  =  V  (e)(<r) 

(2) 

[(*i  ;  *2)  = 

r,  0] 

*o  [«i  :(«2  :*•},  o\ 

(3) 

[(*1  +  s2) 

:r,  a] 

-»0  [«i  •  r>  c] 

(4) 

[(«i  +  S2) 

:r,  0] 

*0  [S2  :  r,  a] 

(5) 

[fix  [s] :  r, 

Tl 

->  [s{pa:  [s]/x}  :  r,  0] 

In  the  operational  semantics  we  collect  successive  transitions.  Each  resump¬ 
tion  is  mapped  to  an  element  of  the  semantic  domain  Pi  presented  in 

Definition  4.  The  domain  Pi  is  defined  by 

( pe)P1  =  Statei  —*  Vnc.  (State™). 

The  set  (?  €)  State™  =  State\  U  State"  of  finite  and  infinite  sequences  of 
states  is  endowed  with  the  1-bounded  complete  ultrametric  d  specified  by 

,,  n  _  /  0  if  C  =  s' 

'  ’  ^  2-m  otherwise 

where  n  is  the  length  of  the  longest  common  prefix  of  s  and  .  According  to 
Kuratowski’s  theorem3,  the  set  V„c  (State™)  of  nonempty  compact  subsets  of 
State™  endowed  with  the  Hausdorff  metric  is  a  1-bounded  complete  ultrametric 
space. 

Definitions.  The  higher  order  mapping  #<p-  :  (/?est  — < «  Pi)  — >  (Res\  — >  Pi)  is 
defined  by 

&0-(<t>)(  E)  =A£T.{£} 

&0-  (<0)(s  :  r)  =  Xo  .  U  { <r‘  ■  <f>  (r')(<r')  (  [s  :  r,  o]  —  [r\  o']  } 

The  operational  semantics  O*  :  Res  \  — *  P\  is  defined  by 
0*=fix(*0-). 

3  If  (X,dx)  is  a  1-bounded  complete  ultrametric  space  then  the  set  of  nonempty  and 
compact  subsets  of  X,  Vnc  (X),  endowed  with  the  Hausdorff  metric  based  on  dx  is 
a  1-bounded  complete  ultrametric  space  (cf.  [Kur56]). 
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In  the  above  definition  of  #o-,  er'  ■  is  the  result  of  prefixing  the 

set  of  state  sequences  <j>(r')(er')  by  the  state  ct'.  The  well-definedness  proof  of 
$0-  exploits  the  fact  that  Ty  is  finitely  branching.  Obviously,  <Pq-  is  contractive. 
According  to  Banach’s  theorem,  <f>o-  has  a  unique  fixed  point. 

Definition  6.  The  operational  semantics  O  :  — * >  P\  is  defined  by 

0(s)  =  0*(s:E). 

In  the  denotational  semantics,  we  restrict  ourselves  to  nonexpansive  mappings4 
(notation  — ♦1). 

Definition  7.  The  higher  order  mapping 

=  (£„  -  Pi  -l  A)  -  (£„,  -  Pi  Pi) 

is  defined  by 

#x>  (<£)(«  :=  e)(p)  =  Act  .  (<r{a/t-}  •  p(CT{a/t>})),  where  a  =  V  (e)(cr) 

(<A)(«1  ;  «2)(p)  =  (<£)(«2)(p)) 

#T>  (</>)(«i  +  S2)(p)  =  Act  .  (#t>  (<^)(si)(p)(ct)  U  $T>  (0)(*2)(p)(ff)) 

<f»X>  (<P)(nx  [s])(p)  =  Act  .  (ct  •  <j>  (s{/xx  [s]/x})(p)(ct)) 

The  denotational  semantics  V  :  £a,  — >  Px  -+l  Px  is  defined  by 

T>  =  fix  (<?x>)- 

The  nonexpansiveness  of  <t>z>  ($)(s)  and  the  contractiveness  of  can  be 
proved  by  structural  induction.  Note  that  this  definition  of  V  implies,  e.g.,  that 
T>  (/xx  [s])(p)  =  Act  .  (ct  •  T>  (s{/xx  [s]/x})(p)(ct)).  Well-definedness  of  V  is  a  conse¬ 
quence  of  the  contractiveness  of  (here  ensured  by  the  cr-step)  rather  than  of 
a  direct  argument  by  structural  induction  on  s. 

Definitions.  The  denotational  semantics  V*  :  Resy  — *  Py  is  defined  by 

V*  (E)  =  Act  .  {e} 

V  (s:r)=V(s)(V*  (r)) 

The  operational  and  denotational  semantics  are  related  in 

Theorem  9.  O*  =  V* . 

Proof.  For  this  theorem,  we  will  sketch  two  alternative  proofs. 

4  Let  (X, dx)  and  {X' ,dx')  be  metric  spaces.  A  function  /  :  X  — *  X'  is  called  nonex¬ 
pansive  if,  for  all  x  and  x' , 


dX'  (/  (*).  /  (s'))  <  dx  (x,  x'). 
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1.  We  can  prove  that,  for  all  r, 

*o-  {V'){r)  =  V'  (r) 

by  induction  on  the  complexity  of  r.  For  example,  for  the  resumption 
(*i  ;  s2)  :  v  we  have  that 

*0-  (X>*)((Sl;s2):r) 

=  #0-  ('D*)(si :  (s2  :  r))  (the  definition  of  the  complexity  is  such 
=  V*  (si  :  (s2  :  r))  that  the  induction  hypothesis  applies  here] 

=  2>(s1)(D(s2)(D*(  r))) 

=  V  ((st  ;  s2) :  r). 

Since  O*  and  X>*  are  both  fixed  point  of  $0-  and  has  a  unique  fixed 
point,  O *  and  2)*  must  be  equal. 

2.  We  can  also  prove  that,  for  all  r, 

d{0 *  (r),2>*  (r))  <  |  •  sup  {  d  (O*  (r'))  |  r1  €  Res,} 

by  induction  on  the  complexity  of  r.  For  example,  for  the  resumption  v.  =  e:r 
we  have  that 

d  ( O *  (v  :=  e  :  r),  V  (t  :=  e  :  r)) 

=  d{Xa  .  (o-{a/u}  ■  O*  (r)(o-{a/u})),  A<r  .  ( a{a/v }  •  V*  (r)(a{a/t’}))) 

=  (r),D‘(r)) 

<  I  •  sup  {d{0*  (r'),X>*  (r'))  |  r'  €  Resx  }. 

Consequently,  for  all  r,  d(C7*  (r),T>*  (r))  =  0.  Hence  O*  —  V*. 

□ 

The  first  proof  follows  [KR.90]  (cf.  [BM88]),  but  with  a  substantial  simplifi¬ 
cation  thanks  to  our  avoiding  procedure  environments. 

Corollary  10.  For  all  s,  O(s)  =  T>  (s)(Acr .  {e}). 

2  A  sequential  language  with  second  order  assignment 

The  central  notion  of  this  section  is  second  order  assignment,  in  the  form  of 
the  statement  x  :=  s,  for  s  itself  a  statement.  In  the  operational  semantics, 
the  routine  (program  text)  s  is  stored  in  the  syntactic  state  a  as  value  for  x; 
in  the  denotational  semantics,  the  meaning  V(s)  is  stored  as  value  for  x  in 
the  semantic  state  p.  The  definition  of  O  and  T>  for  allows  a  par  ticularly 
succinct  (statement  and)  proof  of  the  relationship  between  O  and  V. 

Definition  11.  The  language  Ca,2  is  defined  by 

s  v:=e|s;s|s  +  s|x|x:=s. 


129 


The  configurations  of  the  transition  system  defining  the  operational  semantics 
are  pairs  of  resumptions  (defined  as  in  the  previous  section,  but  now  named  Res 2) 
and  syntactic  states ,  which  are  introduced  in 

Definition  12.  The  set  SynState2  of  syntactic  states  is  defined  by 
(rr  g)  SynState2  —  ( IVar  — *  Val)  x  (PVar  —*  Cat?). 

Let,  for  the  state  <7  =  (oi,cr2),  the  states  a{a/v}  and  <j{s/x}  be  short  for 
(<Ti{ot/u},  a2)  and  (<Ti,or2{s/x})»  respectively.  The  transition  system  T2  is  intro¬ 
duced  in 

Definition  13.  The  transition  relation  — >  of  T2  is  the  smallest  subset  of 
( Res2  X  SynState2)  x  (Res 2  x  SynState2 )  satisfying  (1),  (2),  (3),  (4)  ':om  Defi¬ 
nition  3,  and 

(6)  [ x  :r,  a]  -*  [a  (x)  :  r,  cr] 

(7)  [x:=s:  r,  a]  —  [r,  cr{s/x}] 

The  definitions  of  O*  and  O  follow  those  of  O *  and  O  of  the  previous  section, 
but  now  using  transition  system  T2  and  semantic  domain  P2,  which  is  obtained 
from  Pi  by  replacing  Statei  by  SynState2.  We  next  present  the  (system  of) 
domain  equations5  for  the  collection  of  semantic  states  SemState 2  and  P3,  the 
denotational  d-  main  for 

Definition  14.  The  domains  SemState2  and  P3  are  defined  by 

(p  €)  SemState2  &  ( IVar  -  Val)  x  ( PVar  -  idx  (P3  -1  P3)) 

(p  €)  P3  =  SemState2  — *1  Vnr  (SemState??) 

Definition  15.  The  denotational  semantics  T> :  £„.,2  — *  P3  — ♦  *  P3  is  defined  by 

V(v  :=  e)(p)  =  Xp  .  (p{ a/v}  ■  p  (p{a/n})),  where  a  =  V  (e)(p) 

^(*1  !  «2)(p)  =  V (si)(V  (s2)(p )) 

V(Sl  +s2)(p)  =  Xp.  (V(si)(p)(p)  U  V  (s2)(p)(p)) 

V(x)(p)  =  Xp  .(p  - p(x)(p)(p)) 

V  (x  :=  s)(p)  =  Xp  .  (pty/x)  ■  p  (p{ifi / x} )),  where  ip  =  V  (s) 

5  To  solve  these  domain  equations,  we  work  in  a  category  of  1-bounded  complete 
ultrametric  spaces  and  apply  the  methodology  of  solving  domain  equations  in 
this  category  as  developed  in  [AR89].  Functors  F  appearing  in  domain  equations 
X  ^  F  (X)  -  or  rather  (X,dx)  —  F(X,dx)  -  with  S  denoting  isometry,  may  be 
built  from  the  familiar  operations  on  1-bounded  complete  ultrametric  spaces  such  as 
Cartesian  product,  disjoint  union,  (nonexpansive)  function  space,  and  (nonempty) 
compact  power  set,  and  the  operation  idl/2  (idi/2(X,dx)  =  ( X ,  5  ■  dx)),  starting 
from  given  1-bounded  complete  ultrametric  spaces  (4,4^)  and  the  unknown  space 
(X,dx).  The  operation  idi/2  is  used  in  particular  to  ensure  contractiveness  of  the 
functor  P,  which  induces  uniqueness  of  the  solution  up  to  isometry. 
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The  denotational  semantics  V  closely  follows  the  structure  of  the  rules  in 
transition  system  7 Consider,  for  example,  the  case  that  a  rule  [r,  cr]  — *  [r',  a'] 
(or  [r,  <r]  — >o  [r',  <r'])  is  the  sole  rule  for  configuration  [r,  or]  in  T2.  Let  p  and 
p'  denote  the  denotational  meanings  of  r  and  r',  and  let  p  and  p'  be  the  se¬ 
mantic  states  corresponding  to  a  and  cr'  (cf.  Definition  16).  Then  the  formula 
p(p)  =  p’  •  p'  (p1)  (or  p(p)  =  p'  (p'))  expresses  the  denotational  counterpart  of 
this  rule.  In  this  way  the  clause  for  V  (x)(p)(p)  may  be  understood  from  clause 
(6)  of  Definition  13. 

The  definition  of  Z>*  follows  that  of  T>*  of  the  previous  section.  To  each 
syntactic  state  a  corresponding  semantic  state  is  assigned  by  the  mapping  sem 
introduced  in 

Definition  16.  The  mapping  sem  :  SynState 2  — *  SemState 2  is  defined  by 
sem  (a)  =  (<ti,  Ax  .  \p  ,  1 ?(<r2(a:))(p))- 

The  mapping  sem  is  extended  in  the  natural  way  to  a  mapping  from 
‘Pnr.  ( SynState to  Vnr.  ( SemState |°).  By  means  of  this  mapping  the  operational 
and  denotational  semantics  are  related  in 

Theorem  17.  For  all  r  and  a ,  sem  ( O *  (r)(cr))  =  F>*  (r)(sem  (cr)). 

Proof.  This  proof  follows  the  second  proof  of  Theorem  9.  For  example,  for  re¬ 
sumption  x  :=  s  :r  we  have  that 

d  (sem  ( O *  (x  :=  s  :  r)(<r)),  D*  (x  :=  s  :  r)(sem  (<r))) 

=  d(sem  (<t{s/x)  ■  O'  (r)(a{s/x})),V  (x  :=  s)(V*  ( r))(sem  (a))) 

=  d  (sem  (a{s/x})  ■  sem  (O*  (r)(<r{s/x})), 

sem  (<t){T>  (s)/x}  ■  V*  (r)(sem  (<r){T>  ( s)/x })) 

=  \-d  (sem  (O'  (r)(<r{s/x})),  V*  (r)(sem  (<r){T>  (s)/x») 

<  i  •  sup  [d (sem  (O*  (r')(a')),T>'  ( r')(sem  (o'))  |  r'  e  Res2 ,  cr'  G  State2}, 

since  sem  (<r{s/x})  =  sem  (v){V  (s)/x}. 

□ 


Corollary  18.  For  all  s  and  cr,  sem  (O  (s)(o))  =  V  (s)(Xp  .  {e})(sem  (cr)). 

3  A  parallel  language  with  communication 

The  language  Cco  studied  here  has  first  order  communication  (synchronised 
transmission  of  simple  values)  as  its  main  concept.  is  close  to  a  language  such 
as  CSP  ([Hoa85]);  again,  its  main  motivation  in  the  present  context  is  to  pave 
the  way  for  the  second  order  variant.  A  further  simplification  with  respect  to 
the  usual  languages  of  this  kind  is  that  we  assume  one  global  state,  rather  than 
a  distribution  of  local  states  over  the  various  parallel  components.  The  design 
of  a  mechanism  for  local  states  is  well-understood  (see,  e.g.,  [ABKR89]),  and  we 
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have  kept  it  separate  from  the  present  development  in  order  not  to  burden  the 
presentation. 

Let  (c  G)  Chan  be  an  alphabet  of  channel  names. 

Definition  19.  The  language  is  defined  by 

s  ::=  w:=e|c!e|c?u|s;s|s  +  s|s||s|x|/ix  [s]. 

The  configurations  of  the  transition  system  are  pairs  of  resumptions  and 
extended  states. 

Definition  20.  The  class  Res 3  of  resumptions  is  defined  by 
r  ::=  E  |  s. 

The  set  State 3  of  states  is  defined  by 
(a  €)  States  =  State i- 

The  set  State™1  of  extended  states  is  defined  by 

(77  €)  State™1  =  States  U  ( Chan  x  Val)  U  ( Chan  x  IVar). 

In  the  transition  system,  we  will  use  the  extended  state  (c,  a)  to  denote 
that  the  value  a  is  sent  on  channel  c,  and  we  will  use  (c,  v)  to  denote  that  the 
value  received  on  channel  c  should  be  assigned  to  the  individual  variable  v.  The 
transition  system  7-j  is  introduced  in 

Definition  21.  The  transition  relation  ->  of  Tj  is  the  smallest  subset  of 
(tfes3  x  State™1)  X  (Res 3  x  State™1)  satisfying 


(1) 

[v  :=  e,  a] 

— ►  [e,  a{a/v}],  where  a 

=  V  (e)(o) 

(2) 

[c !  e,  a] 

— *  [e,  (c,  a)],  where  a  = 

V(e)(o) 

(3) 

[c  ?  V,  O'] 

->  [E,  (c,v)] 

(4) 

[»l  +  s2,  cr] 

>0  [«1,  O’] 

(5) 

[sx  +s2,  <r] 

-*0  [«2,  0] 

(6) 

[lix  [s],  <7] 

->  [s{/xx[s]/x},  <7] 

(7) 

if  [sx,  <7]  -» 

[rx,  77]  then  [sx  ;  s2,  a]  -*  [rx  ;  s2,  77] 

(8) 

if  [slt  <7]  -> 

[rl5  17]  then  [sx  ||  s2>  0]  - 

'  [n  ||  s2, 77] 

(9) 

if  [s2,  <7]  -*■ 

[r2,  77]  then  [sx  ||  s2»  0]  —  [«x  ||  r2,  77] 

(10) 

if  [s1;  <7]  -*■ 

[n,  (c,a)]  and  [s2,  a]  -* 

fa,  fat-)] 

then  [sx  ||  s2,  cr]  -»  [rx  ||  r2,  (r{a/v}] 

(11) 

if  [sx,  <7]  -* 

[rx,  (c,u)]  and  [s2,  cr]  -* 

[r2,  (c,  a)] 

then  [sx  ||  s2,  a]  -*  [rx  ||  r2,  <7{a/i’}] 

In  the  above,  we  adopt  the  convention  that  E;s  =  e||s  =  s||e  =  s,  and 
E  ||  E  =  E.  We  say  that  [s,  ct]  blocks  if  there  do  not  exist  a  resumption  r  and  a 
state  (not  an  extended  state)  ct'  such  that  [s,  ct]  —*  [r,  a1].  The  semantic  domain 
for  the  operational  semantics  is  introduced  in 

Definition  22.  The  domain  P4  is  defined  by 

(p  €)  Pa  =  States  -+  Vnc  ((States)?). 

The  set  (c  €)  (State s)?  ==  State3  U  State‘s  U  State 3  •  {6}  of  finite  and  infi¬ 
nite  sequences  of  states  possibly  ending  with  6  is  endowed  with  the  ultrametric 
described  after  Definition  4. 

Definition  23.  The  operational  semantics  0*  :  Res 3  — *  P4  is  the  unique  map¬ 
ping  satisfying 

0*  (E)  =  Act  .  {<■} 

O*  =  Xct  I  W  if  [«.  "]  blocks 

\  (J  {  a<  •  0*  (r)(< t')  I  [s,  <r]  — >  [r,  or']  }  otherwise 

The  operational  semantics  0  is  defined  as  the  restriction  of  O*  to  It  is 
important  to  observe  that  O* ,  and  hence  0,  is  not  compositional,  i.e.  there  is 
no  semantic  operator  ||  satisfying  0*  (si  ||  s2)  =  0*  («i)  ||  0*  (s2). 

The  semantic  domain  for  the  denotational  semantics  is  presented  in 

Definition  24.  The  domain  P5  is  defined  by 

(p  €)  P5  3*  {e}  U  (States  — ►  Vro  (State's*1  x  idi(P5))). 

In  the  above  definition,  0  denotes  the  disjoint  union  and  P,,„  the  compact 
power  set  operator.  The  domain  P5  is  a  branching  domain.  Its  core  structure 
is  as  that  of  a  P5  solving  P5  =  Vcn  (State?1'  x  idi(P$))\  additional  structure  is 
provided  by  the  nil  process  E  and  by  P? s  functional  dependence  on  arguments  in 
States ■  It  is  not  difficult  to  define  (a  natural  extension  of)  bisimilarity  (notation 
~)  on  P5,  and  to  show  that  P5  is  strongly  extensional,  viz.  p\  ~  p2  if  and  only 
if  pr  =  p2  (cf.  [RT92,  Bre93]). 

Definition  25.  The  operator  ;  :  P5  x  P5  — >x  P5  is  the  unique  mapping  satisfying 

_  f  P2  if  pi  =  E 

1  ’  2  I  Act  .  {  (17,  pi  ;  P2 )  |  (»7,  p[ )  G  pi  (<r)  }  otherwise 

The  operator  +  :  P5  X  P5  — P5  is  defined  by 

{p2  if  Pi  =  E 

pi  if  p2  =  E 

Act  .  (pi  (ct)  U  p2  (ct))  otherwise 

The  operator  ||  :  P5  X  P5  — P5  is  the  unique  mapping  satisfying 
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Pi  I!  P2  =  (pi  ILPn)  +  (P2  ILPl)  +  (pi  LP2)  +  (P2  LpO 

where 

H  _  ( P2  if  Pi  =  E 

1  P2  l  •  { (*?,  Pi  II P2 )  |  (>7,  Pt )  €  pi  (<t)  }  otherwise 
and,  for  p\  =  E  or  p2  =  E, 

Pi  LP2  =  E, 

otherwise 

Pi  LP2  =  A<T.  {(<r{a-/t.'},p,1  H  Pa)  |  ((c,a),pi)  e  pi  (a),  ((c,v),p!>)  €  p2  (cr)  }. 


The  above  definition  can  be  made  rigorous  by  another  appeal  to  higher  order 
techniques.  For  example,  for  the  operator  ;  we  should  introduce  a  higher  order 
mapping  <P.  :  (P5  X  P5  P5)  ->  (P5  X  P5  -*1  P5)  defined  by 


W(Pi.P2)  =  | 


P2  if  Pi  =  E 

Act  .  {  (ij,  <j>  (pi,  P2)  |  (v,  Pi)  €  pi  (cr )  }  otherwise 


Definition  26.  The  denotational  semantics  T>  :  — *  P5  is  the  unique  mapping 

satisfying 

V  (1 v  :=  e)  =  Ao- .  {(a{a/u},  e)},  where  a  =  V  (e)(cr) 

T>(c\e)  —  X a .  {((c,  a),  E)},  where  a  =  V  (e)(er ) 

D(c?«)  =  Xa.  {((c,n),E)} 

(*1  ;  s2)  =  V(sl)\T>(s2) 

X>(si  +  s2)  =  Z?(si)  +  £*(*2) 

V(Sl\\s2)  =V(Sl))\V(s2) 

V  (px  [s])  =  Ao  .  {(o,  V  (s{px  [s]/i}))} 


We  now  prepare  the  way  for  the  statement  relating  O  and  V.  We  first  de¬ 
fine  a  ‘hybrid’  operational  semantics,  based  on  Tj  but  yielding  elements  in  the 
denotational  domain  P5. 


Definition  27.  The  operational  semantics  O #  :  Res^  —*  P5  is  the  unique  map¬ 
ping  satisfying 

O*  (e)  =  E 

O*  (s)  =  A o .  { (rj,  O*  (r))  |  [s,  o]  -*  [r,  17]  } 

Second,  we  extend  the  denotational  semantics  T>  to  a  denotational  semantics 
from  Res3  to  P5  by  defining  D#  (e)  =  E. 

Lemma  28.  O *  =  V* . 


Proof.  Following  the  first  proof  of  Theorem  9,  it  suffices  to  show  that  the  higher 
order  mapping  $0#  underlying  Definition  27  has  V*  as  fixed  point. 


□ 
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Finally,  we  show  how  the  operational  semantics  C7#  and  O'  are  connected. 
Semantic  domain  (p4  €)  P4  is  simpler  than  (pb  e)  P5  in  three  ways; 

•  for  all  <7,  the  branching  structure  of  pb  (a)  is  collapsed,  leaving  in  p4  (0)  only 
a  set  of  paths  of  p$  (a), 

•  failing  attempts  at  communication  (c,  a)  or  (c,  v)  appear  in  p5  (a)  but  not 
in  p4  ( a ),  and 

•  ps  (<x)  contains,  in  general,  pairs  (o'  ,p’b).  Here  pb  models  the  continuation  of 
the  execution  after  o'  has  been  delivered.  This  allows  that  an  interleaving 
action  of  some  ps  might  change  o'  before  pb  is  applied.  However,  this  does 
not  hold  for  p4  (or)  which  contains  sets  of  the  form  o'  ■  p4  (a1). 

The  combined  effect  of  these  simplifications  is  yielded  by  trace  defined  in 

Definition  29.  The  mapping  trace  :  P5  — *l  P4  is  the  unique  mapping  satisfying 

trace  (e)  =  Xo .  {e} 

.  .  _  ( {6}  if  p(<r)  blocks 

1  U  {0^,  1  trace  (p')(o ')  |  (o’  ,p')  €  p(o)  }  otherwise 

where  p  (cr)  blocks  if  there  does  not  exist  a  pair  (o'  ,p')  in  p(cr). 

The  well-defined  ness  proof  of  the  higher  order  mapping  $fra,-r  underlying  the 
above  definition  relies  on  Michael’s  theorem6. 

Lemma  30.  O'  =  trace  o  O* . 

Proof.  Again  we  can  follow  the  first  proof  of  Theorem  9  by  showing  that  the 
higher  order  mapping  #0-  underlying  Definition  23  has  trace  oO*  as  fixed  point. 

□ 


Theorem  31.  O  =  trace  o  V. 

4  A  parallel  language  with  second  order  communication 

This  is  the  culminating  section  of  our  paper,  providing  a  synthesis  of  ideas  from 
the  Sections  2  and  3.  In  addition,  we  need  some  novel  techniques  to  establish 
the  relationship  between  O  and  T>  for  Cr„7.  In  particular,  we  use 

•  the  ‘processes  as  terms’  approach  of  [Rut92],  and 

•  a  metric  on  configurations  of  a  transition  system  ([Bre94]). 

As  in  Section  2,  a  more  realistic  language  could  be  based  on  local  states.  In 
such  a  setting  it  would  be  meaningful  to  transmit  a  closure,  a  pair  consisting 
of  a  statement  and  a  local  state,  rather  than  just  a  statement  (as  we  do  in  the 
operational  model  for  Cc„2 ). 

6  Let  ( X,dx )  be  a  metric  space.  If  A  €  Vc.„(Vcn(X))  then  (jX  6  Vm  (X)  (cf. 
[Mic51]). 
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Definition  32.  The  language  £,.„,  is  defined  by 
s  ::=  t>:=e|s;s|s  +  s|.s||s|x|c!s|c?x. 

The  configurations  of  the  transition  system  are  pairs  of  resumptions  (defined 
as  in  the  previous  section,  but  now  named  Res4)  and  extended  syntactic  states. 

Definition  33.  The  set  SynState4  of  syntactic  states  is  defined  by 

(<r  €)  SynState4  =  (IVar  — >  Val)  X  ( PVar  — ►  Crn 2). 

The  class  SynState4xl  of  extended  syntactic  states  is  defined  by 

(rj  6)  SynState4xl  =  SynState4  U  (Chan  x  Cr„7)  U  ( Chan  x  PVar), 

where  Chan  =  {  c  \  c  €  Chan  }. 

We  introduce  Chan  to  avoid  a  possible  ambiguity:  we  distinguish  between 
the  extended  state  denoting  that  statement  x  is  sent  on  channel  c  -  denoted  by 
(c,  x )  -  and  the  extended  state  denoting  that  the  statement  received  on  channel 
c  should  be  assigned  to  procedure  variable  x  -  denoted  by  (c,  x).  The  transition 
system  T4  is  presented  in 

Definition  34.  The  transition  relation  — *  of  T4  is  the  smallest  subset  of 
(Res4  x  SynState4xl)  X  (Res4  x  SynState4xl)  satisfying  (1),  (4),  (5),  (7),  (8), 
(9)  from  Definition  21,  and 


(12) 

l*. 

(13) 

[c!s, 

a]  -*  [E,  (c,  s)] 

(14) 

[cl  x. 

0]  —  [E,  (c,  x)] 

(15) 

if  [si, 

0]  -» [ri,  (c,  s)j  and  [s2,  a)  -» 

[r2.  (c, 

x)] 

then  | 

>1  II  *2,  0]  -»  [ri  ||  r2,  <r{s/x}] 

(16) 

if  [slt 

0]  — ►  [ri,  (c,  x)]  and  [s2,  0]  -* 

[r2,  (c, 

*)] 

then  | 

>1  II  «2,  0]  —  [rx  ||  r2,  <r{s/x}\ 

The  definitions  of  Om  and  O  follow  those  of  O*  and  O  of  the  previous  section, 
but  now  using  transition  system  T4  and  semantic  domain  Pq  introduced  in 

Definition  35.  The  domain  Pq  is  defined  by 

(p  €)  Ps  =  SynState4  -»  Vnr  (( SynState4)f ). 

Next,  we  define  the  collection  of  (extended)  semantic  states  SemState4 
(SemState™1),  and  the  domain  P7  of  denotational  meanings  for  £,.„,. 

Definition 36.  The  domains  SemState 4,  SemState 4xl ,  and  P7  are  defined  by 

( p  S)  SemState 4  2*  (IVar  — ♦  Val)  x  ( PVar  — *  id^(Pj)) 

(£  €)  SemState 4xl  5*  SemState4  0  ( Chan  x  id^(P?))  0  ( Chan  x  PVar) 

(j)  €)  P^  —  {e}  0  ( SemState4  — *l  Ven  (SemState 4xt  x  id^(Py))) 


Note  the  correspondence  of  the  definitions  of  the  domains  SemState 4, 
SemState J**,  and  Pj  with  those  of  SynStateA,  SynState™* ,  and  P6,  respectively. 
On  domain  Pj  we  can  define  (higher  order)  bisimilarity  in  several  ways.  Based  on 
these  definitions,  the  domain  can  be  shown  to  be  strongly  extensional.  Whether 
one  of  the  bisimilarity  notions  gives  us  the  ‘right’  equivalence  needs  further  study. 

Definition  37.  The  denotational  semantics  T>  :  — <  P^  is  defined  by 

V  ( v  :=  e)  =  Xp  .  {(p{a/t>},  E)}, where  a  =  V  (e)(p) 

'P(ai\s2)  =D(si);P(s2) 

(«i  +  *2)  =  ©  (*i)  +  “P  (^2) 

V(si\\s2)  -  ©(.OH V(s2) 

V(x)  =  Xp.  {(p,p(x))} 

X>  (c  !  s)  =  Xp.  {((c,  p),  E)},  where  p  =  V  (3) 

T>(c?  x)  =  Xp  {((c,x),E)} 

The  semantic  operators  used  here  are  defined  quite  similarly  to  those  of 
Definition  25.  For  example,  for  the  operator  [  we  have,  for  pi  ^  E  and  p2  /  E, 

Pi  LP2  =  V  •  {  (p{p/x}iPi  II  P2)  I  ((c.p),pi)  €  pi  (p),  ((c,x),p2)  €  p2  (p)  }■ 

In  order  to  relate  O  and  V,  we  need  various  preparations.  First,  we  want  to  mimic 
the  introduction  of  O*  (cf.  Definition  27),  delivering  denotational  meanings. 
This  requires  using  p’s  rather  than  cr's.  Clause  (12)  of  Definition  34  then  obtains 
the  form  [x,  p]  — *  [p(x),  p].  As  a  consequence,  semantic  entities  p  €  Pj  appear 
in  the  new  T{,  with  respect  to  the  extended  class  of  resumptions  introduced 
in  Definition  38.  In  Definition  39,  we  introduce  the  induced  transition  system. 
Note  that  T[  is  no  more  finitely  branching,  and  the  higher  order  definition  of 
0&  based  on  requires  separate  justification. 

Definition  38.  The  class  Res 4  is  defined  by 

ti  ::=  E  1 1 
where 

t  ::=  w:=e|t;t|t  +  f|£||f|x|c!t|c?x|p. 

Definition  39.  The  transition  relation  — *  of  T{  is  the  smallest  subset  of 
( Rts\  x  SemState™1)  x  (Res\  x  SemState™1)  satisfying 
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(1)  [u  :=  e,  p]  -#  [e,  p{a/u}],  where  a  =  V  (e)(p) 

(2)  [ti  +  <2  >  p]  — 1 >o  [<i>  p] 

(3)  [<!  +  t2,  p)  — *0  [*2i  p] 

(4)  [x,  p]  —  [p(x),  p] 

(5)  [c !  f,  p]  — »  [e,  (c,p)],  where  p  =  V *  (f)  (cf.  Definition  43) 

(6)  [c  ?  x,  p]  —  [e,  (c,  x)] 

(7)  if  [<i,  p]  -*  [tii,  £]  then  [ft  ;  <2.  p]  -*  [«i  ;  *2,  f] 

(8)  if  [<!,  p]  -»  [tii,  £]  then  [tx  ||  <2,  p]  -*  [«i  II  *2,  £] 

(9)  if  [f2,  p]  -*•  [«2,  f]  then  [<i  ||  t2,  p]  —  [<1  II  «2,  f] 

(10)  if  [<!,  p]  -»  [«i,  (c,p)]  and  [t2l  p]  —  [ti2)  (c,x)] 

then  [«!  ||  <2,  p]  [«i  ||  «2,  p{p/*}] 

(11)  if  [ft,  p]  ->  [til(  (c,x)j  and  [t2,  p]  —  [«2,  (c,p)] 
then  [tx  ||  t2,  p]  —  [«i  ||  «2,  p{p/*}] 

(12)  if  (£,p')  €  p  (p)  then  [p,  p]  —  [p',fl 

Definition  40.  The  operational  semantics  O#  :  Res 4  — i-1  P7  is  the  unique  map¬ 
ping  satisfying 

O*  (e)  =  e 

0*{t)  =  Ap .  {  ($,  O*  (ti))  |  [t,  p]  —  [ti,  £]  } 

Note  that  the  — in  the  above  definition  assumes  a  metric  on  Res^.  This  is 
presented  in 

Definition  41.  The  metric  d  :  Res\  x  Res\  — >  [0, 1]  is  defined  by 
d  (ti,ti')  =  0 
if  ti  =  ti',  otherwise 

dpj  (ti,  ti')  if  ti  €  Py  and  ti'  6  P^ 

max{d(ti,f'i),d(f2,f2)}  if  «  =  <1  ;  f2  and  ti'  =  f'x  ;  t2 

d(u  ti'l  =  tnax  (d  (ti ,  tx),  d  (t2i  )}  if  ti  =  tx  +  t2  and  u'  =  t[  +  t'2 

'  ’  ’  max{d(ti,f'1),d(f2,t2)}  u  =  *i  II  h  and  ti'  =  t[  ||  t2 

d  (f ,  f')  if  ti  =  c !  t  and  ti'  =  c !  t' 

1  otherwise 

We  shall  also  need  the  mapping  S  defined  in 

Definition  42.  The  mapping 

S  :  ( Res'4  x  SemState 4)  — Vro{Res\  x  SemState j’1*) 

is  defined  by 

S(ti,p)  =  { [«',  £]  |  [«,  p]  —  [«',  £]  }• 


t 
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Let  #0#  be  the  higher  order  mapping  associated  in  the  natural  way  with  the 
definition  of  O Well-definedness  of  #0#  follows  by  noting  that 

•  S  is  well-defined,  i.e.,  for  all  u  and  p,  S  ( u ,  p)  is  compact  and  S  is  nonexpan- 
sive, 

•  for  all  t  and  p,  the  set  {  ({ ,  <p  («))  |  [f,  p]  — ►  [u,  £]  }  is  compact,  since  S 
delivers  compact  sets  and  <f>  is  nonexpansive, 

•  for  all  f,  the  mapping  A p .  {  ((,  0  («))  J  [<,  p]  — *  [u,  €]}  is  nonexpansive,  since 
S  and  <t>  are  nonexpansive. 

Second,  we  extend  the  denotational  semantics  V. 

Definition  43.  The  denotational  semantics  V #  :  Res\  — Pj  is  defined  by 
V*  (E)  =  E 

( v  :=  e)  =  A p  .  {(p{a/«},  E)},  where  a  =  V  (e)(p) 

v#(h,t2) 

V*  (<!  + 12)  =  V*  (ft)  +  V *  (4a) 

V#  (ti  ||  fa)  =  V*  («0  ||  V*  (t2) 

V*(x )  =  Ap.  {(p,p(x))} 

V #  (c!  f)  =  A p  .  {((c,p),E)},  where  p  =  V#  ( t ) 

V*{clx)  =  Ap.  {((c,i),E)} 

V*  {p)  =p 

Lemma  44.  O*  — 

Proof.  This  proof  follows  the  first  proof  of  Theorem  9.  For  example,  for  re¬ 
sumption  x  we  have  that 

*0*  ( V*)(x ) 

=  Ap.{(p,Z>*(p  (*)))} 

=  Ap{(p,p(x))} 

=  V*  (x). 

□ 

To  each  extended  syntactic  state  an  extended  semantic  state  is  assigned  by 
the  mapping  sem. 

Definition 45.  The  mapping  sem  :  SynStaie4xt  — *  SemState'4Ti  is  defined  by  . 

sem  (a)  =  (tri,  Ax  .  T>#  (<T2(x))) 

sem  ((c,  x))  =  (c,  x) 
sem  ((c,  s ))  =  (c,  £>#  (s)) 

The  mapping  sem  is,  again,  extended  in  the  natural  way  to  a  mapping  from 
Vnc  (( SynState4 )Jj°)  to  Vnc  ((SemState4)'^J).  The  next  lemma  is  the  key  technical 
result  on  which  the  relationship  between  O  and  V  is  based.  The  lemma  expresses 
a  canonical  correspondence  between  transitions  of  Tj  and  T4. 


Lemma  46.  For  all  a,  r,  u,  cr,  cr',  and  £, 

if  [a,  cr]  — *  [r,  a']  then  [s,  sem  (cr)]  — *  [«',  sem  (cr')] 
and  O *  ( u ')  =  O#  (r)  for  some  u' 

and 

i/[s,  sem  (cr)]  -»  [u,  £]  then  [a,  a]  -*  [r',  cr"] 

and  O#  (r')  =  O#  («)  and  sem  (cr")  =  £  for  some  r'  and  a” . 

Proof.  This  lemma  can  be  proved  by  structural  induction  on  a.  We  will  only 
consider  the  first  part  for  statement  a*  ;  s^.  We  distinguish  two  cases. 

1.  Assume  [at  ;  S2,  cr]  — »  [s2,  cr'].  Then  [si,  cr]  — *  [e,  cr'].  By  induction, 

[at,  aem(cr)]  — *  [u',  sem  (a1)]  and  O#  (u')  =  O#  (e).  Consequently,  u'  =  E. 

So,  [si  ;  S2,  sem  (a)]  — *  [a2,  sem  (cr')]. 

2.  Assume  [at  ;  S2,  cr]  — >  [a(  ;  a2,  cr'].  Then  [sj,  cr]  — »  [sj,  cr'].  By  induction, 

[si,  sem  (cr)]  — ►  [u',  sem  (cr*)]  and  O*  (u’)  =  O*  (s't).  Consequently,  u'  £  E. 

So,  [aj.  ;  s2,  sem  (cr)]  — *  [u'  ;  s2,  sem  (cr')]  and 

O*  («' ;  aa) 

=  Z>#(u';a2) 

=  0*  (u');V*(s2) 

=  0*  (a'1);P*(a2) 

=  O*  (a'  ;  a2). 

□ 

The  mapping  trace  used  for  Cc„2  is  obtained  from  Definition  29  by  replacing 
cr’s  by  p’s: 

Definition 47.  The  mapping  trace  :  P7  — SemState 4  — *l  Vnr  ((SemStatei)f) 
is  defined  by 

trace  (e)  =  Ap. {e} 

M  =  A  I  (^}  P  (p)  blocks 

p  p  1  u  { P1  •  trace  (p')(p')  I  [p\p')  e  p (p)  }  otherwise 

The  operational  semantics  O*  and  O#  are  related  by  means  of  the  mappings 
sem  and  trace. 

Lemma  48.  For  all  r  and  cr,  sem  (0*  (r)(c r))  =  trace  (0#  (r))(sem  (cr)). 

Proof.  We  can  prove  this  lemma  by  means  of  the  proof  principle  exploited  in 
the  second  proof  of  Theorem  9  using  Lemma  46. 

□ 


Theorem  49.  For  all  s  and  <r,  sem  (0  (a)(cr))  =  trace  (fD  (a))(aem  (cr)). 
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Summary 

The  results  from  the  Sections  1  to  4  relating  O  and  T>  for  the  four  languages 

considered  are  summarised  in  the  following  table  (putting  O  [s]  =  O  (s)  for  each 

of  the  four  languages,  T>  [s]  =  'D(s)(Xo  ■  {e})  for  Crix,  T>[sJ  =  T>(s)(Xp-  {e})  for 

£o«2>  31141  ®  [«]  =  ®  (*)  for  £<■«>  and  Cr„7): 

Co*  :  OjS]  =  P[s] 

£M2  :  Bern  o  O  fs]  =  V  [s]  o  sem 

Cco  :  O  I«1  =  ( trace  o  V)  Js] 

Cc.oi  ’■  sem  o  O  j[s]  =  (trace  o  V)  [s]  o  sem 

References 

[ABKR89]  P.  America,  J.W.  de  Bakker,  J.N.  Kok,  and  J.J.M.M.  Rutten.  Denota- 
tional  Semantics  of  a  Parallel  Object-Oriented  Language.  Information  and 
Computation,  83(2):152-205,  November  1989. 

[ACCL90]  M.  Abadi,  L.  Cardelli,  P.-L.  Curien,  and  J.-J.  Levy.  Explicit  Substitutions. 

In  Proceedings  of  the  17th  Annual  ACM  Symposium  on  Principles  of  Pro¬ 
gramming  Languages,  pages  31-46,  San  Francisco,  January  1990. 

[AGR92]  E.  Astesiano,  A.  Giovini,  and  G.  Reggio.  Observational  Structures  and 
their  Logics.  Theoretical  Computer  Science,  96(l):249-283,  April  1992. 

[AR87]  E.  Astesiano  and  G.  Reggio.  SMoLCS-driven  Concurrent  Calculi.  In 
H.  Ehrig,  R.  Kowalski,  G.  Levi,  and  U.  Montanari,  editors,  Proceedings  of 
the  International  Joint  Conference  on  Theory  and  Practice  of  Software  De¬ 
velopment,  volume  249  of  Lecture  Notes  in  Computer  Science,  pages  169- 
201,  Pisa,  March  1987.  Springer- Verlag. 

[AR89]  P.  America  and  J.J.M.M.  Rutten.  Solving  Reflexive  Domain  Equations  in 
a  Category  of  Complete  Metric  Spaces.  Journal  of  Computer  and  System 
Sciences,  39(3):343-375,  December  1989. 

[Ban22]  S.  Banach.  Sur  les  Operations  dans  les  Ensembles  Abstraits  et  leurs  Ap¬ 
plications  aux  Equations  Integrales.  Fundamenta  Mathematicae,  3:133-181, 
1922. 

[Bar92]  H.P.  Barendregt.  Lambda  Calculi  with  Types.  In  S.  Abramsky,  Dov  M. 

Gabbay,  and  T.S.E.  Maibaum,  editors,  Handbook  of  Logic  in  Computer  Sci¬ 
ence,  volume  2,  Background:  Computational  Structures,  chapter  2,  pages 
117-309.  Clarendon  Press,  Oxford,  1992. 

[BB92]  G.  Berry  and  G.  Boudol.  The  Chemical  Abstract  Machine.  Theoretical 
Computer  Science,  96(1):21 7-248,  April  1992. 

[BM88]  J.W.  de  Bakker  and  J.-J.Ch.  Meyer.  Metric  Semantics  for  Concurrency. 
BIT,  28:504-529, 1988. 

[Bou89]  G.  Boudol.  Towards  a  Lambda-Calculus  for  Concurrent  and  Communi¬ 
cating  Systems.  In  J.  Diaz  and  F.  Orejas,  editors,  Proceedings  of  the  In¬ 
ternational  Joint  Conference  on  Theory  and  Practice  of  Software  Develop¬ 
ment,  volume  351  of  Lecture  Notes  in  Computer  Science,  pages  149-162, 
Barcelona,  March  1989.  Springer- Verlag. 

[BR92]  J.W.  de  Bakker  and  J.J.M.M.  Rutten,  editors.  Ten  Years  of  Concurrency 
Semantics,  selected  papers  of  the  Amsterdam  Concurrency  Group.  World 
Scientific,  Singapore,  September  1992. 


[Bre93]  F.  van  Breugel.  Three  Metric  Domains  of  Processes  for  Bisimulation.  This 
volume. 

[Bre94]  F.  van  Breugel.  Topological  Models  in  Comparative  Semantics.  PhD  thesis, 
Vrije  Universiteit,  Amsterdam,  1994.  In  preparation. 

[BZ82]  J.W.  de  Bakker  and  J.I.  Zucker.  Processes  and  the  Denotational  Seman¬ 
tics  of  Concurrency.  Information  and  Control,  54(l/2):70-120,  July/ August 
1982. 

[Cur88]  P.-L.  Curien.  The  Ap-calculus:  An  Abstract  Framework  for  Environment 

Machines.  Report,  LIENS,  Paris,  October  1988. 

[Hoa85]  C.A.R.  Hoare.  Communicating  Sequential  Processes.  Series  in  Computer 
Science.  Prentice/Hall  International,  London,  1985. 

[JP90]  R.  Jagadeesan  and  P.  Panangaden.  A  Domain-theoretic  Model  for  a  Higher- 
order  Process  Calculus.  In  M.S.  Paterson,  editor,  Proceedings  of  the  nth 
International  Colloquium  on  Automata,  Languages  and  Programming,  vol¬ 
ume  443  of  Lecture  Notes  in  Computer  Science,  pages  181-194,  Coventry, 
July  1990.  Springer- Verlag. 

[KR90]  J.N.  Kok  and  J.J.M.M.  Rutten.  Contractions  in  Comparing  Concurrency 
Semantics.  Theoretical  Computer  Science,  76(2/3):179-222,  1990. 

[Kur56]  K.  Kuratowski.  Sur  une  Methode  de  Metrisation  Complete  des  Certains 
Espaces  d’Ensembles  Compacts.  Fundamenta  Mathemattcae,  43:114-138, 
1956. 

[LTLG92]  J.-J.  Levy,  B.  Thomsen,  L.  Leth,  and  A.  Giacalone.  CONcurrency  and 
Functions:  Evaluation  and  Reduction.  Bulletin  of  the  European  Associa¬ 
tion  for  Theoretical  Computer  Science,  48:88-106,  October  1992. 

[Mic51]  E.  Michael.  Topologies  on  Spaces  of  Subsets.  Transactions  of  the  American 
Mathematical  Society,  71:152-182,  1951. 

[Mil92]  R.  Milner.  Functions  as  Processes.  Mathematical  Structures  in  Computer 
Science,  2(2):119-141,  June  1992. 

[MPW92]  R.  Milner,  J.  Parrow,  and  D.  Walker.  A  Calculus  of  Mobile  Processes,  I  and 
II.  Information  and  Computation,  l(100):l-40  and  41-77,  September  1992. 

[MS92]  R.  Milner  and  D.  Sangiorgi.  Barbed  Bisimulation.  In  W.  Kuich,  editor, 
Proceedings  of  the  19th  International  Colloquium  on  Automata,  Languages 
and  Programming,  volume  623  of  Lecture  Notes  in  Computer  Science,  pages 
685-695,  Vienna,  July  1992.  Springer- Verlag. 

[Plo81]  G.D.  Plotkin.  A  Structural  Approach  to  Operational  Semantics.  Report 
DAIMI  FN-19,  Aarhus  University,  Aarhus,  September  1981. 

[RT92]  J.J.M.M.  Rutten  and  D.  Turi.  On  the  Foundations  of  Final  Semantics:  non¬ 
standard  sets,  metric  spaces,  partied  orders.  In  J.W.  de  Bakker,  W.-P.  de 
Roever,  and  G.  Rozenberg,  editors,  Proceedings  of  the  REX  Workshop  on 
Semantics:  Foundations  and  Applications,  volume  666  of  Lecture  Notes  in 
Computer  Science,  pages  477-530,  Beekbergen,  June  1992.  Springer- Verlag. 

[Rut92]  J.J.M.M.  Rutten.  Processes  as  Terms:  Non-Well-Founded  Models  for 
Bisimulation.  Mathematical  Structures  in  Computer  Science,  2(3):257-275, 
September  1992. 

[San92]  D.  Sangiorgi.  Expressing  Mobility  in  Process  Algebras:  First-Order  and 
Higher-Order  Paradigms.  PhD  thesis,  University  of  Edinburg,  Edinburg, 
1992. 

[San93]  D.  Sangiorgi.  An  Investigation  into  Functions  as  Processes.  This  volume. 

[Tho89]  B.  Thomsen.  A  Calculus  of  Higher  Order  Communicating  Systems.  In  Pro¬ 
ceedings  of  the  16th  Annual  ACM  Symposium  on  Principles  of  Programming 


142 


[Tho90] 


Languages,  pages  143-154,  Austin,  January  1989. 

B.  Thomsen,  Calculi  for  Higher  Order  Communicating  Systems.  PhD  the¬ 
sis,  Imperial  College,  London,  September  1990. 


An  Investigation  into  Functions  as  Processes 

Davide  Sangiorgi1 

Abstract.  In  [Mil90]  Milner  examines  the  encoding  of  the  A-calculus  into 
the  r-calculus  [MPW92].  The  former  is  the  universally  accepted  basis  for 
computations  with  functions,  the  latter  aims  at  being  its  counterpart  for 
computations  with  processes.  The  primary  goal  of  this  paper  is  to  continue 
the  study  of  Milner’s  encodings.  We  focus  mainly  on  the  lazy  A-calculus 
[Abr87].  We  show  that  its  encoding  gives  rise  to  a  A- model,  in  which  a 
weak  form  of  extensionality  holds.  However  the  model  is  not  fully  abstract: 
To  obtain  full  abstraction,  we  examine  both  the  restrictive  approach,  in 
which  the  semantic  domain  of  processes  is  cut  down,  and  the  expansive 
approach,  in  which  A-calculus  is  enriched  with  constants  to  obtain  a  dir¬ 
ect  characterisation  of  the  equivalence  on  A-terms  induced,  via  the  encod¬ 
ing,  by  the  behavioural  equivalence  adopted  on  the  processes.  Our  results 
are  derived  exploiting  an  intermediate  representation  of  Milner’s  encodings 
into  the  Higher-Order  r-calculus,  an  border  extension  of  x-calculus  where 
also  agents  may  be  transmitted.  For  this,  essential  use  is  made  of  the  fully 
abstract  compilation  from  the  Higher-Order  x-calculus  to  the  x-calculus 
studied  in  [San92a]. 


1  Introduction 

In  [Mil90]  Milner  examines  the  encoding  of  the  A-calculus  into  the  x-calculus  [MPW92]; 
the  former  is  the  universally  accepted  basis  for  computations  with  functions,  the 
latter  aims  at  being  its  counterpart  for  computations  with  processes.  More  precisely, 
Milner  shows  how  the  evaluation  strategies  of  lazy  \-calculus  and  call-by-value  A- 
calculus  [Abr87,  Plo75]  can  be  faithfully  mimicked.  The  characterisation  of  the 
equivalence  induced  on  A-terms  by  the  encodings  is  left  as  an  open  problem;  it  also 
remains  to  be  studied  which  kind  of  A-model  —  if  any  —  can  be  constructed  from 
the  process  terms. 

The  primary  goal  of  this  paper  is  to  continue  the  study  of  Milner’s  encodings. 
A  deep  comparison  between  a  process  calculus  and  A-calculus  is  interesting  for  sev¬ 
eral  reasons;  indeed,  virtually  all  proposals  for  process  calculi  with  the  capability  of 
treating  —  directly  or  indirectly  —  processes  as  first  class  objects  have  incorporated 
attempts  at  embedding  the  A-calculus  [Bou89,  Tho90].  From  the  process  calculus 
point  of  view,  it  is  a  significant  test  of  expressiveness,  and  helps  in  getting  deeper 
insight  into  its  theory.  From  the  A-calculus  point  of  view,  it  provides  the  means  to 
study  A-terms  in  contexts  other  than  purely  sequential  ones,  and  with  the  instru¬ 
ments  developed  in  the  process  calculus.  For  example,  an  important  behavioural 
equivalence  upon  process  terms  gives  rise  to  an  interesting  equivalence  upon  A- 
terms.  Moreover,  the  relevance  of  those  A-calculus  evaluation  strategies  which  can 
be  efficiently  encoded  is  strengthened.  More  practical  motivations  for  describing 
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functions  as  processes  are  to  provide  a  semantic  foundation  for  languages  which 
combine  concurrent  and  functional  programming  and  to  develop  parallel  imple¬ 
mentations  of  functional  languages. 

Our  other  major  goal  is  more  centered  on  process  calculi.  The  paradigm  on 
which  x-calculus  is  constructed  is  first  order:  Reductions  cause  instantiations  of 
names.  This  contrasts  with  what  happens  in  A-calculus,  where  reductions  cause 
instantiations  of  terms.  Higher-order  communications  are  avoided  in  x-calculus 
because  of  their  complexity  and  because  they  can  be  represented  at  first  order. 
The  latter  is  showed  in  [San92a]  by  comparing  x-calculus  with  the  Higher- Order 
x-calculus  (HOx),  an  w-order  extension  of  x-calculus  where  not  only  names  but  also 
processes  and  parametrised  processes  of  arbitrary  high  order  can  be  communicated: 
A  compilation  from  HOx  to  x-calculus  is  defined  and  proved  fully  abstract  with 
respect  to  the  semantics  of  the  calculi.  Thus,  the  second  goal  of  this  paper  is  to 
illustrate  the  use  of  HOx  and  of  the  representability  result  of  HO*  into  x-calculus. 

Using  the  abstraction  power  of  HOx,  for  both  the  lazy  and  the  call-by-value 
A-calculus  we  give  encodings  which  are  easier  to  understand  and  to  deal  with  than 
those  available  in  the  x-calculus.  By  applying  the  compilation  from  HOx  to  x- 
calculus,  we  can  turn  them  into  x-calculus  encodings  which  can  then  be  compared 
with  Milner’s;  this  is  a  significant  test  for  the  canonicity  of  the  encodings  involved. 
In  the  lazy  A-calculus  the  correspondence  is  exact.  That  is,  if  V  and  7f  are,  respect¬ 
ively,  the  x-calculus  and  HOx  encodings,  and  C  is  the  compilation  from  HOx  to 
x-calculus,  then  the  following  diagram  commutes: 

H 

A - *-HOx 

c 

x 

In  consequence,  since  C  is  fully  abstract,  any  result  proved  for  one  of  the  encodings 
can  be  transferred  to  the  other.  By  working  with  HOx,  we  show  in  this  paper  that 
the  encodings  do  give  rise  to  a  A-model,  where  conditional  extensionality  holds.  It 
is  not  fully  abstract,  though.  To  obtain  full  abstraction  we  follow  two  directions: 
In  the  restrictive  approach,  based  on  the  use  of  barbed  bisimulation  [MS92],  the 
semantic  domain  of  processes  is  cut  down;  in  the  expansive  approach  A-calculus  is 
enriched  with  constants  to  obtain  a  direct  characterisation  of  the  equivalence  on 
A-terms  induced,  via  the  encoding,  by  the  behavioural  equivalence  adopted  on  the 
processes. 

For  call-by-value  the  situation  is  less  sharp.  In  [MH90]  Milner  presents  two  can¬ 
didates  for  the  encoding,  and  it  is  not  obvious  which  one  should  be  preferred: 
The  first  allows  easier  reasoning,  but  the  second  is  more  efficient.  Moreover,  when 
applied  to  the  HOx  encoding,  compilation  C  dees  not  return  either  of  them.  Ap¬ 
parently,  to  obtain  them  some  code  transformation  has  to  be  carried  out.  The 
study  of  these  transformations  leads  to  interesting  outcomes.  Firstly,  it  suggests  a 
correction  of  the  order  in  which  some  actions  appear  in  Milner’s  encodings.  This 
rearrangement  does  not  affect  the  operational  correspondence  between  A-  and  x- 
terms.  However,  it  affects  the  behavioural  equivalence  on  the  encoding  x-terms,  in 


a  way  which  makes  the  encoding  more  faithful  to  the  encoded  call-by-value  discip¬ 
line.  Secondly,  the  study  of  the  transformations  reveals  that  ^-reduction  is  not  valid 
in  Milner’s  second  encoding,  which  severely  reduces  its  importance.1  The  counter¬ 
example  is  fairly  sophisticated  and  we  doubt  we  could  have  obtained  it  without 
going  through  HO*. 

This  paper  is  an  extract  from  (mainly  chapter  6  of)  the  author’s  Ph.D.  thesis 
[San92a];  we  refer  to  it  for  details  and  proofs  of  the  results  reported. 

Acknowledgements.  I  wish  to  thank  Robin  Milner  for  discussions  and  sugges¬ 
tions,  and  Benjamin  Pierce,  Peter  Sewell  and  the  anonymous  referees  for  comments 
on  an  earlier  draft.  The  paper  was  written  during  my  stay  at  INRIA-Rocquencourt; 
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2  The  7r-calculus  and  the  Higher-Order  ?r-calculus 

In  this  section  we  review  the  syntax  and  semantics  of  x-calculus  and  HOx,  before 
moving  on  to  the  study  of  the  representation  of  functions  as  processes,  the  core  of 
this  paper. 

2.1  Syntax 

We  shall  look  explicitly  only  at  the  syntax  and  the  semantics  of  the  Higher-Order 
v- calculus  (HOx),  since  the  x-calculus  is  a  subcalculus  of  it.  Actually,  we  only 
present  a  fragment  of  these  languages,  but  one  which  is  sufficient  for  the  encoding 
of  the  A-calculus.  A  more  detailed  description  of  the  operators  involved  and  their 
meaning  can  be  found  in  [San92a]. 

A  HOx  agent  (or  term)  can  be  a  process  or  an  abstraction,  i.e.  a  parametrised 
process.  In  the  following,  P  and  Q  stand  for  processes,  F  and  G  for  abstractions,  A 
for  agents.  We  use  X,  Y  to  range  over  the  set  of  variables;  as  in  A-calculus,  a  variable 
is  supposed  to  be  instantiated  with  a  term.  The  letters  a,b,...,x,y,...  stand  for 
names.  Moreover,  K  stands  for  an  agent  or  a  name  and  U  for  a  variable  or  a  name. 
We  use  a  tilde  to  denote  a  finite  (possibly  empty)  tuple.  In  the  fragment  of  HOx  we 
consider,  a  process  is  built  from  names  using  the  operators  of  parallel  composition, 
restriction,  replication,  variable  application,  input  and  output  prefixing,  and  nil. 

P::Pi\P2  |  vxP  |  ! P  |  X(K)  j  x(U).P  \  x(K).P  |  0 

An  agent  is  an  abstraction  over  a  process  or  over  a  partial  application: 

A  ::(U)P  |  (U)X(K) 

Variable  application  X{K)  is  needed  to  provide  an  abstraction  received  as  an  input 
with  the  appropriate  arguments.  The  other  process  operators  resemble  those  of  the 
(polyadic)  x-calculus  and  CCS  (see  [Mil91,  Mil89]);  we  only  remind  the  reader  that 

1  The  version  of  [Mil90]  which  appeared  in  the  Jour,  of  Math.  Structures  was  written 
when  the  results  in  this  chapter  were  already  known  and  thns  presents  only  the  first 
encoding. 
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the  replication  !  P  represents  an  unbounded  number  of  copies  of  P  in  parallel,  and 
allows  us  to  describe  processes  with  infinite  behaviour.  Application  has  the  highest 
precedence;  abstraction  the  lowest.  Sometimes  we  abbreviate  a.O  as  a.  In  the  above 
expressions,  when  a  tuple  is  empty  the  surrounding  brackets  ()  or  {)  are  omitted. 
Note  that  also  a  variable  X  is  an  agent,  corresponding  to  the  case  in  which  U  and 
K  are  empty. 

An  abstraction  is  an  agent  which  takes  somearguments  before  becoming  a 
process.  The  typical  form  of  an  abstraction  is  it  is  like  a  procedure,  in 

which  (U)  represents  the  parameters.  For  instance,  F  (Y)(P  |  Y)  abstracts  on 
a  process  variable;  F  takes  a  process  and  runs  it  in  parallel  with  P.  We  can  also 
abstract  on  abstraction  variables,  as  in  G  *—  {X)(P  |  X{Q));  then  F  applied  to 
G  yields  P  \  P  \  Q.  The  machinery  can  be  iterated,  progressively  increasing  the 
order  of  the  resulting  abstraction.  In  this  sense  HO?  is  an  w-order  calculus:  There 
is  no  bound  on  the  order  of  the  agents  which  can  be  written  and  communicated. 
In  contrast,  in  x-calculus  abstractions  and  communications  can  only  be  first  order, 
i.e.  abstractions  and  communications  of  names.  Thus,  in  x-calculus  syntax,  variable 
application  does  not  appear  and  tuples  R  and  U  are  replaced  by  simple  tuples  of 
names. 

W.r.t.  the  language  in  [San92a],  we  have  omitted  the  operators  of  matching  and 
summation,  and  recursive  definitions  of  agents  have  been  replaced  by  replication. 
The  latter  is  a  limitation  because  while  replication  can  be  encoded  using  recursive 
definitions,  the  other  way  round  only  holds  if  the  number  of  recursive  definitions 
is  finite  (see  [Mil91,  section  3.1]).  Further,  in  the  presented  sublanguage  an  agent 
may  only  have  a  finite  number  of  free  names.  By  contrast,  in  the  full  syntax  in 
[San92a],  since  infinite  recursive  definitions  and  infinite  summations  are  allowed, 
it  is  possible  to  write  agents  which  have  an  infinite  number  of  free  names,  like  a 
counter  which  at  each  step  emits  a  signal  on  a  different  channel. 

The  restriction  ubP ,  the  input  prefix  a(U).P  and  the  abstraction  (U)P  are 
formal  binders  for  names  and  variables  in  U  and  6;  they  give  rise  in  the  expected 
way  to  the  definitions  of  o-conversion,  free  names  and  free  variables  of  a  term.  An 
open  agent  is  an  agent  possibly  containing  free  variables. 

It  is  crucial  in  practice  to  avoid  disagreements  in  what  is  carried  by  a  given  name 
or  expected  in  applications;  for  instance  we  reject  expressions  likea(6i,  bi}.P\a(x).Q 
or  X(b)  |  X (61,62),  due  to  the  mismatching  in  the  use  of  the  names.  In  HOir  this 
need  is  very  compelling:  It  is  not  only  a  question  of  arities,  but  we  also  have  to  avoid 
any  confusion  between  instantiation  of  names  and  of  agents  as  well  as  instantiation 
of  agents  of  different  order.  To  this  end,  Milner  proposed  the  use  of  sorts  [Mil91]. 
Sorts  have,  very  roughly,  the  flavour  of  types  in  A-calculus;  however  in  the  process 
calculi  not  only  terms  are  assigned  a  sort  (or  a  type),  but  also  names,  the  latter 
depending  upon  the  (sorts  of  the)  objects  which  that  name  can  carry.  The  sorting 
system  is  also  useful  to  understand  the  passage  from  x-calculus  to  HOir:  The  u>- 
order  sorts  of  HOx  can  be  derived  by  removing  certain  constraints  on  the  first-order 
sort  language  of  x-calculus.  We  will  not  present  the  sorting  system  because  it  is 
not  essential  to  understand  the  contents  of  this  paper.  The  reader  should  take  for 
granted  that  all  agents  described  obey  a  sorting. 


It  is  worth  pointing  out  that  we  do  not  lose  expressiveness  in  our  language  by 
having  application  only  with  variables.  In  fact,  every  “well-sorted  expression”  A(K) 
can  be  put  into  this  form  by  “executing”  the  applications  it  contains;  for  instance 
from  (( X)Y(X)){P ),  we  get  Y(P).  This  makes  the  definition  of  substitution  more 
elaborate,  but  facilitates  the  proofs  in  the  calculus.  However,  we  shall  sometimes 


use  A(F)  as  metanotation;  for  instance,  if  G  d—  {X)P,  then  G(F)  is  P{F/X). 


2.2  Operational  semantics 

Following  Milner  [Mil90,  Mil91],  we  give  the  operational  semantics  of  the  language 
as  a  reduction  system.  We  begin  by  defining  structural  congruence,  written  as 
the  smallest  congruence  over  the  class  of  processes  which  satisfies  the  rules  below. 

1.  P  =  Q  if  P  is  a-convertible  to  Q\ 

2.  abelian  monoid  laws  for  | :  P  \  Q  s  Q  \  P,  P  \  (Q  \  R)  =  (P  |  Q)  |  R,  P  |  0  =  P\ 

3.  i/z0  =  0;  uxi/yP  =  uyuxP\  {yx  P)  \  Q  =  vx(P  |  Q);  if  x  g  fn(Q); 

4.  !P  =  P|  \P. 

The  structural  congruence  axioms  are  used  to  act  upon  the  structure  of  terms 
so  that  processes  willing  to  interact  can  be  brought  into  contiguous  positions.  Then 
the  reduction  relation  can  be  described  with  a  few  simple  rules: 


COM:  x(U).P  |  x(K).Q 
P—*P' 

res: - - - — 

i fxP  — *i >xP' 


P{K/U }  |  Q  PAR: 


STRUCT: 


p\Q  — >P'\Q 
Q  =  p  p-+p'  P' s Q' 
Q — >Q' 


2.3  Barbed  bisimulation 

Barbed  bisimulation  was  first  proposed  in  [MS92].  One  of  the  motivations  was 
to  be  able  to  uniformly  define  bisimulation-based  equivalences  in  different  calculi. 
This  is  a  very  important  property  for  the  kind  of  work  conducted  in  this  paper, 
since  it  allows  us  to  have  the  same  definition  of  equivalence  in  the  calculi  considered 
(including  the  A-calculus,  as  we  shall  see  in  Section  6). 

Barbed  bisimulation  focuses  on  the  reduction  relation.  It  goes  a  little  further 
though,  since  the  reduction  relation  by  itself  is  not  enough  to  yield  the  desired 
discriminanting  power.  The  choice  in  [San92a]  was  to  introduce,  for  each  name  a, 
an  observation  predicate  Ja  which  detects  the  possibility  of  performing  a  commu¬ 
nication  with  the  environment  along  a.  We  can_check  whether  P  |a  holds  from  the 
syntactic  form  of  P:  There  must  be  a  prefix  a(U)  or  a(K)  which  is  not  underneath 
another  prefix  and  not  in  the  scope  of  a  restriction  on  a.  For  example,  if  P  is 
(*/c)(c.6  |  a.d),  then  P  J.0|  but  not  P  ie,  P  or  P  ij. 

Definition  1.  Strong  barbed  bisimulation,  written  ~ ,  is  the  largest  symmetrica] 
relation  on  the  class  of  processes  of  the  language  such  that  P  ~  Q  implies: 

1.  whenever  P  — ►  P'  then  there  is  a  Q'  such  that  Q  — ►  Q‘  and  P'  ~  Q'\ 

2.  for  each  name  a,  if  P  J.a  then  Q  ja.  □ 
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By  itself,  barbed  bisimulation  is  too  coarse  (it  is  not  even  preserved  by  parallel 
composition).  By  parametrisation  over  contexts,  we  get  a  finer  relation. 

Definition2.  Two  processes  P  and  Q  are  strong  barbed- congruent,  written  P  ~  Q, 
if  for  each  context  C[-],  it  bolds  that  C[P)  ~  C[Q\  ■  □ 

It  is  important  to  stress  that  the  proofs  in  [San92a]  dealing  with  barbed  con¬ 
gruence  use  the  full  languages  of  r-calculus  and  HO*  —  as  opposed  to  the  frag¬ 
ments  presented  here  —  in  the  construction  of  the  contexts  with  which  processes 
are  tested.  Therefore,  these  contexts  use  matching,  summation,  infinite  recursive 
definitions  and  infinite  free  names.  A  challenging  problem  for  future  research  is  to 
see  whether  such  results  can  also  be  proved  in  the  finitary  calculus,  i.e.  without 
infinite  definitions  and  names. 

The  weak  version  of  the  equivalence,  in  which  one  abstracts  away  from  the 
length  of  the  reductions  in  two  matching  actions,  is  obtained  in  the  standard  way: 
Let  =>  be  the  reflexive  and  transitive  closure  of  — ►  and  be  =>{„  (the  compos¬ 
ition  of  the  two  relations).  Then  weak  barbed  bisimulation,  written  « ,  is  defined 
by  replacing,  in  definition  1,  the  transition  Q  — ►  Q'  with  Q  =>  Q'  and  the  pre¬ 
dicate  Q  la  with  Q  JJ-a ;  and  weak  barbed  congruence,  written  fa,  by  replacing  in 
definition  2  ~  with  « .  The  definition  of  barbed  congruence  on  abstractions  and 
open  agents  is  given  in  the  expected  way,  by  requiring  instantiation  of  variables 
and  of  abstracted  names  with  all  admissible  agents  or  names. 

The  discriminatory  power  of  barbed  bisimulation  is  tested  in  [San92a],  by  prov¬ 
ing  that  in  the  strong  and  in  the  weak  case  barbed  congruence  coincides  in  CCS 
and  x-calculus  with  the  ordinary  bisimilarity  congruences. 


2.4  The  compilation  from  HOw  to  w-calculus 

We  present  the  compilation  from  HOar  to  jr-calculus  on  agents  which  can  trans¬ 
mit  only  one  value  —  a  name  or  an  abstraction  —  and  which  only  use  unary 
abstractions.  This  is  purely  to  make  the  definition  of  the  compilation  (and  of  the 
operational  correspondence  for  it)  more  readable  —  the  generalisation  to  the  cal¬ 
culus  with  arbitrary  arities  does  not  introduce  semantic  complications.  We  use 
( d{m).P){m  :=  F}  to  stand  for  i /m(a(m).P  |  ! m(U).F{U)),  where  U  is  a  name 
or  a  variable,  depending  upon  the  sort  of  m.1  One  should  think  of  m  as  a  pointer 
to  F  and  {m  :=  F}  as  a  “local  environment”  for  P.  We  call  m  a  name-trigger. 

The  compilation  C  from  HOt  to  7r-calculus  is  defined  in  Table  1.  The  idea  is 
that  the  communication  of  the  HOjt  agent  F  should  be  represented  at  first  order 
by  the  communication  of  a  name-trigger  m  which  gives  access  to  (the  encoding  of) 
F;  the  name  m  is  used  by  the  recipient  to  activate  the  needed  copies  of  F  with 
the  appropriate  arguments.  The  other  delicate  rules  are  those  for  application  and 
for  variable.  Consider  the  application  X(F):  When  X  is  instantiated  to  an  agent 
G,  it  becomes  G{F).  Translating  X{F),  we  expect  to  receive  just  a  name-trigger 
to  G,  and  we  are  expected  to  use  this  name  to  activate  G,  providing  it  with  the 


1  When  P  is  0,  the  occurrence  of  |  is  unnecessary  and  hence  (a(m).O)  {to  :=  F)  should 
be  read  as  u m[a(m).\m(U).F{U)) 


t 
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itj  f  C[(y)Jf(K)|  if  x  ia  a  higher-order  abstraction 

™  ~  |cj(«)Af(a)l  ot*lenr“e 

(  (a(m).C(P])  {m  :*  C[F\)  Ham  5(F) 

CJor.PJ  V  ^  a(x).C[P]  if  «  =  a(X) 

U-CIFI  otherwise 

C[*<F)J  ='  (x(m).O)  {m  :=  C[FJ}  C[X<6>]  ='  5(h). 0 

C[P  |  Q1  ='  C|PJ  |  C[Q\  C[u  a  P]  =J  v  a  C[P\  C[!P]  ='  \C{P\ 
C[(X)P 1  ='  (z)C[P]  C[(«)P]  («)C[P1 

Table  1.  The  compilation  C 


argument  F.  Since  we  cannot  pass  agents  at  first  order,  as  in  the  rule  for  output, 
this  is  resolved  by  sending  a  name-trigger  for  F.  In  the  rule  for  variable  an  re¬ 
conversion  is  employed.  This  is  to  make  explicit  all  possible  applications  and  hence 
to  introduce  all  necessary  name-triggers;  the  use  of  full  triggered  forms  is  needed 
to  get  the  soundness  of  Theorem  3  below  [San92a].  In  this  rule,  the  termination  of 
C  is  guaranteed  by  the  well-sortedness  hypothesis  which  ensures  that,  in  (Y)A(Y), 
the  sort  of  Y  is  “smaller”  than  the  sort  of  X.  In  the  table,  a  variable  X  is  mapped 
to  its  lower  case  letter  x\  we  assume  that  both  this  name  x  and  the  name-trigger 
m  are  fresh,  i.e.  do  not  occur  in  the  source  agent. 

As  a  simple  example,  suppose  F  d—  (6)0,  Y  is  a  first-order  variable  of  the  same 
sort  as  F,  and  A  is  a  second-order  variable  which  may  take  F  or  Y  as  arguments. 
Then 

1 6(Y))J  =  (*)(*{"*)  {m  :=  F}  1 6{m)  {m  :=  (z)y(r)}) 

Theorems  (frill  abstraction  for  C).  For  each  HOx  agent  Ai  and  As,  it  holds 
that  Ai  «  As  iff  C[Ai]  »  C[As]  □ 

3  The  lazy  A-calculus 

We  take  for  granted  the  basic  concepts  of  the  A-calculus  (see  [Bar84]).  We  use  A 
for  the  class  of  closed  pure  A-terms  and  M,  N,  L  to  range  over  A.  We  denote  by  /? 
the  divergent  term  (Xx.xx)(Xx.xx).  In  Abramsky’s  lazy  X- calculus  [Abr87],  a  redex 
is  always  at  the  extreme  left  of  a  term:  The  reduction  rules  are  those  for  reflexivity 
and  transitivity  plus 

(/?)  =>  M{N/x)  ( App )  mMn  g  ^ 

When  embedding  the  A-calculus  into  a  process  calculus,  functional  application  be¬ 
comes  a  particular  parallel  combination  of  two  agents,  the  function  and  its  argu¬ 
ment,  and  /?  reduction  a  particular  case  of  interaction.  The  encoding  below  of  lazy 


A-c&lculus  into  HO*  makes  this  idea  very  transparent.  The  translation  of  a  A-term 
is  an  abstraction  over  a  name;  this  name  will  be  the  only  access  to  that  agent  and 
will  be  used  to  interact  with  the  appropriate  A-term.  Thus  ft[Ax.AS](p)  receives  at 
p  its  A-argument  and  the  name  q  which  will  give  access  to  M.  In  the  translation 
of  application,  the  restriction  on  q  prevents  interference  from  other  processes.  For 
simplicity,  a  variable  x  of  the  A-calculus  is  mapped  to  its  upper-case  variable  X  in 
HO*. 

(p)p(X,q).HlM](q) 

«!*]  x 

7i[MN]  V  {j>)uq{H[M\(q)\q(H[N\,p).Q ) 

The  higher-order  features  of  HO*  allow  us  a  simpler  encoding  than  Milner’s 
into  x-calculus  [Mil90].  Indeed,  there  is  a  one-to-one  correspondence  between  re¬ 
ductions  in  A-terms  and  in  their  HO*  counterparts.  Therefore,  following  Boudol’s 
terminology  [Bou89],  we  can  claim  that  lazy  X-calculus  is  a  subcalculus  of  H Ox. 

Proposttion4  (operational  correspondence  for  71).  Let  M  and  M'  be  closed 
A -terms. 

1.  If  M  — *  M'  then  —  WfM'Kp), 

2.  the  converse,  i.e.  ifTt\M\lj>)  — ►  Q  then  there  is  an  M'  such  that  M  — ►  M' 
and  Q  =  W[M,]{p). 

Proof:  Induction  on  the  structure  of  M.  □ 

If  we  apply  compilation  C  to  the  encoding  7 i,  the  output  is  precisely  Milner’s 
encoding  V  in  [Mil90];  the  symbol  ‘o’  denotes  function  composition: 

Propositions.  C  o  Ti  =  V.  □ 

Consequently,  by  appealing  to  the  full  abstraction  for  C,  we  can  freely  switch 
between  the  two  encodings.  We  shall  exploit  this  in  Sections  5  and  6  to  study  them 
from  the  point  of  view  of  the  model  theory  of  the  A-calculus. 


4  The  Call-by- Value  A-calculus 


In  call-by- value  A-calculus,  reductions  may  only  occur  when  the  argument  is  a  value, 
i.e.  an  abstraction.  The  reduction  relation  used  by  Milner  in  [Mil90]  is  described 
by  the  usual  rules  for  reflexivity  and  transitivity  plus  the  rules  0Vt  AppL,  Appr: 


(A,)  (Xx.M)Xy.N  =>  M{Xy.N/x] 

( Appr ) 


( Appi ,) 


M=>M' 


N 


N’ 


MN 


M'N 


A IN  =>  MN ' 
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We  shall  try  to  repeat  for  call-by-value  what  we  did  in  the  previous  section  for 
lazy  A-calculus:  We  propose  an  encoding  into  HOir  and  then  we  compare  it  with 
Milner’s  into  ir-calculus  through  compilation  C.  The  call-by-value  encodings  are 
slightly  more  involved  than  those  for  the  lazy  A-calculus.  They  also  lose  a  neat  ca- 
nonicity,  which  is  implicitly  confirmed  by  the  fact  that  in  his  original  work  [Mil90], 
Milner  presents  two  candidates  for  the  encoding.  Basically,  the  problems  in  the 
translation  of  call-by- value  come  from  the  following  dichotomy  in  the  behaviour 
of  a  A-abstraction.  Take  the  term  MN:  Both  M  and  N  could  reduce  to  an  ab¬ 
straction;  but  if  M  does,  then  the  abstraction  is  destined  to  perform  the  input  of  a 
value,  whereas  if  N  does,  the  abstraction  represents  an  output  value.  This  causes 
disagreement  on  whether  the  process  which  encodes  a  A-abstraction  should  first 
perform  an  input  or  an  output. 

In  the  encoding  below  into  HOir,  in  contrast  with  the  one  for  the  lazy  A-calculus, 
the  translation  of  an  application  allows  the  two  arguments  M  and  N  to  run  in  paral¬ 
lel.  The  HOir  process  uses  p  to  communicate  (with  an  output  action)  that 

M  has  reduced  to  a  value;  then  the  dichotomy  in  the  behaviour  of  a  A-abstraction 
is  solved  by  the  arbiter  App(p,  q,  r)  which  imposes  the  correct  interaction  between 
M  and  N. 

n[\x.M ]  *U  (p)p((w)w(X,  ?)-W[A/](g)).0 

=  (p)i>(*).0 

n[MN]  *  (p)(uq,  r)(nm(q)  |  W[JV](r)  J  App{p,  q,  r» 

where  App  (p,  q,  r)q(X).r(Y).v v  (X (v)  |  U(Y, p).0) 

It  is  enlightening  to  relate  this  encoding  to  the  one  for  the  lazy  A-calculus.  In  the 
above  rules  for  abstraction  and  variable,  the  "core”  is  the  object  part  of  the  output 
at  p,  and  it  has  the  same  format  as  the  corresponding  rule  for  the  lazy  A-calculus. 
Now  the  rule  for  "call-by-value  application”  should  become  clear:  The  arbiter  App 
receives  along  p  and  r  the  “cores"  of  W[Af]  and  W[N]  and  then  imposes  on  them 
the  “lazy  application” .  Therefore  a  reduction  on  the  A-terms  is  matched  by  three 
reductions  on  the  process  side.  Let  us  apply  compilation  C  to  H  and  see  what  we 
get  back. 

C[7f[Az.M]|  d=  (p)p(m)  {m  :=  (w)w(z,?).C[7f[M]J(g)} 

CYH\x ]]  d=  (p)  p(m)  {m  :=  (w)z(u;)} 

C[n[MN ]J  dU  (p)  (u q,  r)(C[W[M]]{?)  |  C[W[AT]J(r)  |  App, <p,  q,  r)) 
where  with  simple  algebraic  manipulations,  Appw{p,q,r)  can  be  written  as 

App*{p,q,r)  dU  g(x).r(y).(i/v)Z(v).(v(m,p){m  :=  (u;)y(u>)}) 

In  his  original  work  [Mil90],  Milner  presents  two  candidates  for  the  encoding  of 
call-by- value  A-calculus  into  ir-calculus,  which  we  shall  call  V\  and  Vi,  respectively. 
They  only  differ  in  the  rule  for  the  translation  of  a  variable:  In  Vi  this  rule  is  simpler, 
but  V\  allows  easier  reasoning  and  proofs.  There  are  two  differences  between  the 


encoding  C  o  Ti  and  Milner’s  TVs.  The  first  difference  is  that  the  order  of  the 
actions  r(y)  and  t/vx(v)  in  App,(p, q, r)  is  reversed.  Let  us  call  Vit  i  —  1,2  the 
encoding  obtained  from  Vi  by  commuting  such  actions  r(y)  and  uv"2{v).  This 
action  rearrangement  causes  a  semantic  difference  between  Vl[M N\  and  Vi\MN\ 
only  when  Af  and  N  are  open.  The  encodings  V^'a  appear  closer  than  the  Vi’s 
to  the  call-by-value  intuition.  We  justify  this  with  an  example.  Consider  the  A- 
term  A x.xSi:  Since  the  call-by- value  application  xSl  has  a  divergent  argument  Si, 
the  term  xfi  is  supposed  not  to  produce  any  visible  behaviour.  Consequently,  we 
expect  that  a  faithful  encoding  of  call-by-value  equates  A x.xSi  and  A x.Si.  But  this 
is  true  only  for  the  encodings  T*j’s,  whereas  it  fails  for  the  TVs.  In  consequence,  we 
consider  the  former  an  improvement  of  the  latter. 

The  second  difference  between  the  encoding  CoH  and  Milner’s  Vi’ s  (everything 
we  shall  say  for  the  TVs  holds  for  their  “rectified”  V[ ’s)  is  that  the  component 
v(m,p){m  :=  (w)y{w)}  of  Appr(p,  q,  r)  is  “optimised”  as  v{y,p). 0  in  V\  and  Vi 
and,  further,  in  Vi  a  similar  optimisation  occurs  in  the  rule  for  variable,  which  is 
translated  as  (p)p(*).0.  We  call  the  former  optimisation  1  and  the  latter  optim¬ 
isation  2.  It  can  be  shown  that  both  of  them  are  instances  of  the  same  potential 
optimisation  of  the  compilation  C  in  the  rule  for  output  of  a  variable,  namely 

C[5{X).Q]  a(x).C[Q]  (*) 

The  intuitive  justification  for  (*)  would  be  the  following.  Suppose  that  previous 
interactions  have  instantiated  the  variable  X  of  the  HOx  term  a(X).Q  with  F. 
In  the  encoding  x-calculus  terms  the  simulation  of  these  interactions  causes  the 
instantiation  of  the  name  x  with  a  trigger,  say  mp,  to  C[FJ.  Now,  with  the  rule  (*) 
this  same  trigger  mp  is  then  transmitted  in  the  output  along  a.  Instead,  with  the 
original  rule  of  Table  1  a  new  name-trigger  m  to  the  term  (y)mjF(y)  is  transmitted: 
This  just  seems  to  introduce  a  further  level  of  indirection  to  the  activation  of 
C[F\.  Indeed,  rule  (*)  is  often  sound,  and  we  believe  that  optimisation  1  is.  This 
would  give  us  a  factorisation  for  V\  (or  better,  for  its  rectified  V[)  through  the 
HO*  encoding  and  the  compilation  C,  up-to  some  code-optimisation.  We  defer  the 
analysis  of  the  soundness  of  optimisation  1,  as  well  as  of  possible  other  optimisations 
of  C,  for  future  research. 

But  rule  (*)  is  not  sound  in  general.  The  problem  has  to  do  with  sharing.  With 
rule  (*)  two  outputs  of  the  same  variable  become  at  first-order  outputs  of  pointers 
to  the  same  “environment  entry”;  this  identity  can  be  recognised  and  affects  the 
successive  behaviour.  For  instance,  the  encodings  of  the  strongly  congruent  HOx 
processes  (here  F  is  any  abstraction) 

P  va  (S(F).O  |  a(X).b{X).b{X).0) 

Q  d=  ua  (a(F).O  |  a(X).b(F).b(F).0) 

would  not  be  equivalent.  For  the  same  reason,  /T-conversion  is  not  valid  for  Milner’s 
second  encoding  Vi,  as  can  be  shown  using  the  terms  M  —  (Az.(Ay.z))(Az.z)  and 
N  =  Ay.(Az.z):  In  one  /?-step  M  reduces  to  N;  however  Vi\M]  5 b  Vi[N\.  The 
difference  between  them  appears  after  a  sequence  of  interactions  with  the  external 
environment  of  length  at  least  7  (!). 
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Nevertheless,  Vi  yields  a  precise  operational  correspondence  between  A-terms 
and  their  process  encodings  and,  intuitively,  one  “expects”  Vi  to  be  correct.  Re¬ 
cently,  in  a  collaboration  with  Benjamin  Pierce  [PS93]  we  have  studied  a  stronger 
sorting  discipline  than  Milner’s,  in  which  one  distinguishes  the  ability  of  using  chan¬ 
nels  of  a  given  sort  for  performing  inputs,  outputs  or  both  of  them.  In  this  system, 
we  have  indeed  been  able  to  prove  the  validity  of  ^-reduction  for  Vi-  It  would  be 
interesting  to  see  whether  the  adoption  of  such  a  refined  sort  systems  would  also 
validate  rule  (*). 

5  A  A-model  from  the  process  terms 

Having  shown  the  exact  operational  correspondence  between  lazy  A-terms  and  their 
process  images  (Proposition  4),  it  is  legitimate  to  ask  ourselves  whether  the  encod¬ 
ing  gives  rise  to  a  A-model,  and  if  so,  what  kind  of  A-model  it  represents.  We  chose 
the  lazy  A-calculus  because  of  the  simplicity  of  its  encodings.  We  shall  work  within 
HOir;  therefore  from  now  on  up  to  the  end  of  the  paper,  the  word  encoding  and 
the  symbol  H  refer  to  the  HOx  encoding  of  lazy  A-calculus  given  in  Section  3.  All 
results  can  be  transported  onto  Milner’s  encoding  into  x-calculus  via  Theorem  3 
and  Proposition  5. 

There  are  simple  syntax-free  definitions  of  A-model  (i.e.  they  do  not  mention 
A-terms).  However,  since  we  already  have  the  mapping  from  A  to  process  terms,  it 
is  more  convenient  to  use  a  definition  where  we  can  use  such  a  mapping  explicitly. 
A  valuation  is  a  function  from  the  set  of  A-variables  to  the  domain  D  of  the  A- 
model;  [d/x]p  is  the  valuation  which  maps  x  to  d  and  which  behaves  like  p  on  the 
remaining  elements. 

Definition  6  (A-model,  from  [HS86]).  A  A -mode/ is  a  triple  <  D,-,M  >,  where 
D  is  a  set  with  at  least  two  elements,  *•’  is  a  mapping  from  D  x  D  to  D  and  M  is  a 
mapping  which  assigns,  to  each  A-term  M  and  valuation  p,  a  member  M[M]P  G  D 
such  that: 

1.  M[x\p  =  p(x)  2.  M[MN]P  =  M[M]P  •  M[N\P 

3.  A4[Ax.Af]p  •  d  —  A4 [M J[d/r]p ,  for  all  d  G  D 

4.  M[M\P  =  if  p(x)  =  <r(x)  for  all  x  free  in  M 

5.  M[\x.M]p  =  M[\y.M {y/ x}]p,  for  y  not  free  in  M 

6.  if  M[M\[d/x]p  =  M[N\[4ix]p  for  all  d  £  D,  then  A4[Ax.MJp  =  A4[Ax.N]p.n 

Our  A-model  should  respect  the  semantic  relation  adopted  in  HOx.  So,  let  us 
denote  by  [A],,  the  equivalence  class  of  the  agent  A,  namely 

(A]w  =  {A'  :  A!  is  an  HOx  agent  and  A  «  A'} 

The  elements  of  the  domain  D  of  the  model  will  be  the  equivalence  classes  of  the 
closed  HOt  agents  with  the  same  sort  5  as  the  agents  encoding  A-terms. 

D  d=  {[/’]„  :  F  G  HOt  and  F  has  sort  5} 
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The  definition  of  application  on  these  elements  follows  the  translation  of  A-applic&tion 
in  ft: 

I G  )„  •  I F  ]„  =/  [  (p) u  q  (G(q)  |  5<F,  p))  ]„  for  p,  q  not  free  in  G,F 

Note  that  the  definition  of  application  is  consistent:  by  the  congruence  properties 
of  RJ,  the  result  of  the  application  does  not  depend  upon  the  representatives  G 
and  F  chosen  from  the  equivalence  classes.  We  are  left  with  the  definition  of  the 
mapping  The  valuation  p  maps  A-variables  to  equivalence  classes  of  rs. 

Given  a  valuation  p,  we  denote  by  pH  a  substitution  from  HOt  variables  to  HOir 
agents  s.t. 

for  each  A- variable  x,  pa(7i[x J)  6  p(x) 

Therefore,  pH  is  the  “conversion”  of  p  which  operates  on  the  HOir  variable  W[i] 
and  which  selects  a  representative  out  of  the  equivalence  class  of  p(x).  Now,  the 
mapping  M  of  the  A-model  is  defined  using  7i  as  follows: 

Note  that  since  «  is  a  congruence,  this  definition  is  independent  of  the  repres¬ 
entatives  of  the  equivalence  classes  selected  by  pH .  We  denote  by  V  be  the  triple 
<  D,  •,  M  >  so  obtained. 

Theorem  7.  V  is  a  \-model. 

Proof:  Use  the  definition  of  2>  plus  the  congruence  properties  of  w  to  show  that 
each  clause  of  Definition  6  is  satisfied.  □ 

We  could  have  tried  to  be  more  selective  in  the  definition  of  the  domain  V,  and 
take  as  domain  D*  =  {[TfjMjfc  :  M  €  A };  then  Z>*  =<  >  represents 

the  interior  of  V  [HS86].  But  it  turns  out  that  V*  is  not  a  A-model.  Clause  (6)  in 
Definition  6  fails.  As  counterexample,  take  the  terms  Li  and  Li  as  will  be  defined 
in  Section  6.  Their  encodings  are  not  equivalent,  i.e.  96  7f[L2];  however,  for 

all  closed  N  it  holds  that  H[Li{N / x}\  »  H[Li{N [ x}\.  Therefore  V  is  an  example 
of  a  A-model  whose  interior  is  not  a  A-model;  see  [HL80]  for  two  more  examples. 

Now  that  we  know  that  V  is  a  A-model,  we  can  infer  all  properties  of  A-models 
for  it;  in  particular  we  get  that 

•  Every  provable  equation  of  A 0  is  valid  for  the  encoding,  up  to  »  (where 
A/3  is  the  formal  theory  given  by  a  and  /3  conversion  plus  the  rules  of  inference  for 
equivalence  and  congruence). 

•  <  D,  •  >  is  a  combinatory  algebra  (and  hence  is  combinatorially  complete) 
where  the  two  distinguished  elements  k  and  s  can  be  defined  as  k  =  [TffAxy.arJJ^, 
and  s  =  [7f[Axy2.xz(y2)JJaj. 

However  model  V  is  not  extensional,  i.e.  it  is  not  a  Xtj  model.  As  counterexample, 
take  Q  and  \x.Hx.  Then  3f[17](p)  96  7f[Ax.f?x](p),  since  mm  «  0,  whereas 
7<[A x.Qx\(p)  can  perform  a  visible  action  at  p.  This  failure  is  not  too  surprising, 
since  our  encoding  mimics  the  lazy  A-calculus,  in  which  the  17  rule  is  not  valid. 
However,  as  in  the  lazy  A-calculus,  the  tf  rule  holds  if  M  is  convergent: 
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Theorem  8  conditional  extensionaliiy. 

H\b fj(p)  implies  “H\\x.Mx\  «j  W[Af],  for  x  fv(M). 

Proof:  Use  Proposition  4  and  the  definition  of  the  encoding.  □ 


6  Full  abstraction 

Full  abstraction,  first  studied  by  Milner  [Mil77]  and  Plotkin  [Plo77],  is  the  problem 
of  finding  a  denotational  interpretation  for  a  programming  language  such  that  the 
resulting  semantic  equality  coincides  with  a  notion  of  operational  indistinguishab- 
ility. 

Inspired  by  the  work  of  Milner  and  Park  in  concurrency  [Par81,  Mil89],  Ab- 
ramsky  [Abr87]  introduces  an  operational  equivalence  on  the  lazy  A-calcuius  terms 
called  applicative  bisimulation,  built  on  the  idea  that  convergence  is  the  only  ob¬ 
servable  property. 

Definition  9.  Applicative  bisimulation  is  the  largest  symmetric  relation  ~C  AxA 
such  that  if  M  ~  N  and  M  =>  Xx.M1,  then  there  is  an  N1  such  that  N  =>  A x.N1 
and  M'{L/x }  ~  N'{L/x},  for  all  L  6  A.  □ 

If  we  take  A  as  the  only  port  of  the  A-calculus  and  M  (J*  as  meaning  “Af  can 
reduce  to  an  abstraction” ,  then  applicative  bisimulation  is  the  A-calculus  version 
of  weak  barbed  congruence.  This  follows  from  the  characterisation  of  applicative 
bisimulation  in  terms  of  “convergence  in  all  contexts”  given  in  [A089]. 

The  classical  setting  in  which  the  full  abstraction  problem  has  been  developed 
is  the  simply  typed  A-calculus.  With  the  introduction  of  the  operational  equival¬ 
ence  resulting  from  applicative  bisimulation,  it  can  be  neatly  transferred  to  the 
untyped  A-calculus  and  it  has  motivated  elegant  works  by  Abramsky,  Ong  and 
Boudol  ([A089,  Bou91]). 

A  denotational  interpretation  is  said  to  be  sound  if  it  only  equates  operationally 
equivalent  terms,  complete  if  it  equates  all  operationally  equivalent  terms,  and  fully 
abstract  if  it  is  sound  and  complete.  Let  us  consider  what  happens  with  the  encoding 
H.  It  is  sound,  since  7t[M\  «  7f[A]  implies  M  ~  N\  this  can  be  established  using 
(mainly)  Proposition  4.  However,  H  is  not  complete.  For  this,  take: 

L\  =  x(\y.(xEQy))S  Li  —  x(xEfl)E. 

where  E  is  an  always-convergent  term  (that  is,  for  all  N,  EN  1)),  like  the  term 
(Ax.Ay.(iz))(A*.Ay.(za:)).  Terms  L\  and  Li  are  used  by  Abramsky  and  Ong  [A089] 
to  show  that  their  canonical  model  for  lazy  A-calculus  is  not  fully  abstract.  They 
show  that  L\  and  Li  are  applicative  bisimilar  but  can  be  distinguished  using  con¬ 
vergence  test,  an  operator  which  is  definable  in  the  canonical  model  but  is  not 
in  the  pure  lazy  A-calculus.  We  also  have  U[L{\  tfs  7f[L2J;  by  using  Theorem  3, 
this  follows  from  a  similar  result  for  the  encoding  into  x-calculus,  which  Milner 
obtained  by  implementing  the  convergence  test  as  a  x-process  [Mil90].  In  terms  of 
the  model  V  of  the  previous  section,  this  inequality  means  that  L\  and  Li  have 
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different  denotations  and  that  V  is  not  fully  abstract.  Given  a  denotational  inter¬ 
pretation  which  is  not  fully  abstract,  there  are  two  natural  directions  to  achieve 
full  abstraction: 

•  to  cut  down  the  existing  “over-generous”  semantic  domain  ( restrictive  ap¬ 
proach); 

•  to  enrich  the  language  (expansive  approach). 

These  two  approaches  Me  exemplified  by  the  solutions  to  the  full  abstraction  prob¬ 
lem  for  PCF  (a  typed  A-calculus  extended  with  fixed  points,  boolean  and  Mithmetic 
features)  proposed  by  Milner  [Mil77]  and  Plotkin  [Plo77];  in  the  latter,  PCF  is  aug¬ 
mented  with  a  ‘parallel  or’  operator.  We  shall  see  that  in  our  case  both  directions 
lead  to  interesting  constructions. 

6.1  The  restrictive  approach 

The  first  approach  exploits  the  possibility  of  quantifying  barbed  bisimulation  on 
a  particular  class  of  contexts,  which  allows  us  to  specify  exactly  the  way  in  which 
certain  agents  are  supposed  to  be  used.  As  A-terms  Me  only  used  in  A-calculus 
contexts,  so  we  can  require  that  their  encodings  be  used  only  in  encodings  of  A- 
contexts.  The  encoding  7i  is  extended  to  A-contexts  by  mapping  the  A  hole  to  the 
HOx  hole,  i.e.  ?£[[•]]  d—  [•].  Thus,  the  class  of  contexts  we  are  interested  in  is 

£  =  {H[C\[-]\  such  that  Cx[  ]  is  a  A-context} 

For  P,Q  €  HOi r,  we  set  P  Q  if  for  every  £-context  C[  ],  the  processes  C[P] 
and  C[Q]  are  barbed  bisimilM. 

Proposition  10.  For  each  M,N  €  A,  it  holds  that  M  ~  N  iff7t[M]  7f[W] 

PROOF:  By  use  of  the  operational  correspondence  (Proposition  4),  the  character¬ 
isation  of  ~  in  terms  of  barbed  congruence,  the  congruence  properties  of  ~.  □ 

This  result  allows  us  to  construct  a  fully  abstract  model  for  the  lazy  A-calculus. 
Let  ( A]Wc  be  the  equivalence  class  of  A  modulo  ~c,  *•’  and  M[M]  as  defined  in 
Section  5  but  with  (  ^  in  place  of  [  ]B,  and 

••  Me  A). 

Theorem  11  full  abstraction.  V'  =<  D1  ,  -,M>  is  a  fully  abstract  model  for  the 
lazy  X- calculus. 

Proof:  Full  abstraction  follows  from  Proposition  10.  The  proof  that  V'  is  a  A- 
model  is  analogous  to  the  proof  that  V  is  a  A-model  in  Theorem  7.  (The  proof  of 
Theorem  7  used  the  congruence  properties  of  «;  in  this  case,  we  need  the  congru¬ 
ence  of  «£  on  encodings  of  A-contexts;  that  is,  if  C[-]  is  the  encoding  of  a  A-context 
and  n [M]  n[N],  then  C[H[M]\  *sc  C[7f[ArjJ).  □ 

Indeed,  the  model  V'  is  also  fully  expressive:  all  objects  of  the  domain  of  inter¬ 
pretation  are  A-definable.  These  results  show  that  if  from  x-calculus  and  HOt  we 
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discard  everything  which  is  extraneous  to  the  encoding,  in  particular  adopting  «£ 
as  semantic  equivalence,  then  the  structure  that  we  get  back  is  the  “same  thing”  as 
the  lazy  A-calculus.  In  our  view,  this  was  really  the  decisive  test  for  the  correctness 
of  the  HO*  and  r-calculus  encodings. 

The  domain  L Y  weakens  the  domain  D  of  Section  5  in  two  aspects:  The  beha¬ 
vioural  equivalence  is  rather  than  the  more  discriminanting  ss;  and  only  the 
interior  of  D  is  taken  into  account.  The  first  restriction  is  necessary  to  get  full 
abstraction;  the  second  to  make  the  definition  of  application  consistent.  It  is  in¬ 
teresting  to  note  the  relationship  between  the  choice  of  the  class  of  HOar  agents 
and  the  choice  of  the  behavioural  equivalence  in  the  definition  of  the  domains  D 
and  D1.  In  the  former,  we  took  the  class  A  of  all  admissible  agents,  and  then  in 
the  behavioural  equivalence  we  had  to  use  quantification  over  the  class  Cnl  of  all 
admissible  contexts  (definition  of  «);  in  the  latter  we  restricted  to  the  “ interior ” 
of  A,  and  then  in  the  behavioural  equivalence  we  had  to  restrict  to  the  “ interior ” 
of  Cut  (definition  of  «<;). 

6.2  The  expansive  approach 

We  next  study  the  equivalence  induced  on  A-terms  by  the  encoding,  called  A- 
observational  equivalence;  it  equates  the  A-terms  Af  and  N  if  7f  [M]  ss  7i[JV|.  In 
other  words,  we  look  at  the  effect  on  A-terms  of  the  use  of  “richer”  contexts,  in 
which  also  concurrent  features  may  be  present.  To  derive  a  direct  characterisation 
of  A-observational  equivalence  (i.e.  a  characterisation  not  mentioning  the  encoding) 
we  have  to  enrich  the  A-calculus  with  constants.  A  constant  is  a  symbol  which  is 
added  to  the  language  without  specifying  any  operational  rule;  in  this  sense  they 
are  opposed  to  operators,  for  which  the  behavioural  rules  are  given  (examples  are 
convergence  test  and  non-deterministic  choice).  Constants  can  be  found  in  the 
well-known  technique  of  the  top  down  specification  and  analysis,  where  a  system 
is  developed  through  a  series  of  refinement  steps  each  representing  a  different  level 
of  abstraction;  a  lower  level  implements  some  details  which  at  a  higher  level  are 
left  undefined.  A  constant  c  is  then  a  high  level  primitive  standing  for  some  lower 
level  procedure  Ke ;  Now  for  closed  terms,  cM  becomes  a  sensible  normal  form. 
Operationally,  we  really  can  see  it  as  the  output  of  the  tuple  M  along  the  channel 
c  and  towards  Ke. 

Let  Ac  be  the  class  of  A-terms  enriched  with  constants.  When  generalising 
applicative  bisimulation  to  terms  in  Ac,  the  main  question  is  which  condition 
should  be  imposed  on  the  equality  between  the  terms  cM  and  cN .  According 
to  the  above  interpretation  of  constants,  it  is  natural  to  require  that  the  ordered 
sequence  of  arguments  represented  by  M  and  N  be  equivalent  (clause  (2)  in  the 
following  definition). 

Definition  12.  Applicative  bisimulation  over  Ac,  written  ~c,  is  the  largest  sym¬ 
metrical  relation  on  A  x  A  such  that  M  ~c  N  implies: 

1.  if  Af  =>  A x.M'  then  there  is  an  N'  such  that 

N  =*  A x.N'  and  M'{L/x}  ~c  N'{L/x),  for  all  L  €  Ac; 

2.  if  M  ==>  cMi...M„,  for  some  n  >  0  and  c  6  C,  then  there  are  N\, . .  .Nn 

such  that  N  =>  cN\  ...Nn  and  Af,’  ~c  JV,-,  1  <  i  <  n. 
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The  proof  (in  [San92a])  that  ~c  «>incide8  with  A-observational  equivalence  (in 
particular  the  implication  from  right  to  left)  is  delicate.  Milner’s  encoding  is  ex¬ 
tended  to  Ac  by  mapping  constants  to  a  special  kind  of  agents  called  triggers. 
These  were  introduced  in  [San92a]  to  obtain  a  simple  characterisation  of  barbed 
congruence  in  HOx;  it  turns  out  that  their  discriminating  power  is  the  same  as 
that  of  constants  in  the  A-calculus. 

Theorem  IS  (direct  characterisation  of  X-observational  equivalence). 

If  M,N  6  A,  it  holds  that  M  ~c  N  iff  H[M }  *sH[N]  □ 

Let  Vc  be  the  extension  to  Ac  of  the  model  V  of  Section  5;  T>c  is  defined  as 
V  with  Ac  in  place  of  A,  and  utilising  the  extension  of  H  to  Ac- 

Corollary  14  (full  abstraction  for  V).  Vc  is  a  fully  abstract  model  for  the 
lazy  X-calculus  enriched  with  constants.  □ 

Starting  from  these  results,  the  study  of  A-observational  equivalence  has  been 
continued  in  [San92b].  The  outcomes  suggest  that  it  is  a  robust  equivalence.  First, 
it  enjoys  simple  operational  and  denotational  characterisations.  Secondly  it  coin¬ 
cides  with  the  equivalence  obtained  when  the  A-calculus  is  augmented  with  the 
whole  class  of  well-formed  operators ,  a  fairly  large  class  of  operators  whose  beha¬ 
viour  depends  only  on  the  semantics  —  not  on  the  syntax  —  of  their  operands; 
that  is  to  say,  the  encoding  into  x-calculus/HOx  induces  maximal  observational 
discrimination  on  A-terms. 
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Time  Abstracted  Bisimulation: 
Implicit  Specifications  and  Decidability 

Kim  G.  Laxsen'and  Wang  Yi* 


Abstract 

In  the  last  few  years  a  number  of  real-time  process  calculi  have  emerged  with  the  pur¬ 
pose  of  capturing  important  quantitative  aspects  of  real-time  systems.  In  addition,  a  num¬ 
ber  of  process  equivalences  sensitive  to  time-quantities  have  been  proposed,  among  these 
the  notion  of  timed  (bisimulation)  equivalence  in  [RRS6,  DS89,  HR91,  BB89,  NRSV90, 
MT90,  Wan91b], 

In  this  paper,  we  introduce  a  time-abstracting  (bisimulation)  equivalence,  and  inves¬ 
tigate  its  properties  with  respect  to  the  real-time  process  calculus  of  [Wan90].  Seemingly, 
such  an  equivalence  would  yield  very  little  information  (if  any)  about  the  timing  prop¬ 
erties  of  a  process.  However,  time-abstracted  reasoning  about  a  composite  process  may 
yield  important  information  about  the  relative  timing-properties  of  the  components  of  the 
system.  In  fact,  we  show  as  a  main  theorem  that  such  implicit  reasoning  will  reveal  all 
timing  aspects  of  a  process.  More  precisely,  we  prove  that  two  processes  are  interchange¬ 
able  in  any  context  up  to  time-abstracted  equivalence  precisely  if  the  two  processes  are 
themselves  timed  equivalent. 

As  our  second  main  theorem,  we  prove  that  time-abstracted  equivalence  is  decidable 
for  the  calculus  of  [Wan90]  using  classical  methods  based  on  a  finite-state  symbolic, 
structured  operational  semantics. 


1  Introduction 

During  the  last  few  years  various  process  calculi  have  been  extended  to  include  real-time  in  order 
to  handle  quantitative  aspects  of  real-time  systems,  for  instance  that  some  critical  event  must 
not  or  should  happen  within  a  certain  time  period.  The  extensions  often  include  timed  versions 
of  classical  process  equivalences,  e.g.  timed  bisimulation  equivalence,  timed  failure  equivalence 
and  timed  trace  equivalence  (RRS6,  DSS9,  HR91,  NRSV90,  MT90,  VVan91bJ.  Loosely  speaking, 
for  two  processes  to  be  equivalent  they  should  not  only  agree  on  what  actions  they  can  perform, 
they  must  also  agree  on  when  these  actions  are  performable.  Alternatively,  one  can  say  that 
an  observer  is  assumed  to  be  sensitive  to  passage  of  time  including  the  quantity  by  which  time 
is  passing. 

A  fundamental  problem  induced  by  any  new  process  calculus  is  that  of  axiomatization  and 
decidability  of  the  associated  process  equivalence.  Normally,  these  problems  are  solved  in  two 
stages:  the  problems  are  first  solved  for  the  class  of  regular  processes,  i.e.  processes  with  no 
parallel  composition,  after  which  it  is  shown  how  to  remove  parallel  composition  through  the 
use  of  a  so-called  expansion  theorem.  However,  for  real-time  calculi  where  time  is  represented 
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by  some  dense  time  domain  (such  as  the  non-negative  reals)  processes  will  have  infinitely  many 
states,  and  it  has  been  shown  in  [GL92]  that  no  expansion  theorem  exists  for  timed  bisimulation 
equivalence  —  i.e.  parallel  composition  can  not  in  genera)  be  removed.  This  explains  why 
axiomatization  and  decidability  of  various  equivalences  between  real-time  processes  based  on 
dense  time  domains  have  proven  notoriously  hard  problems.  Recent  work  by  Cerans  [C92], 
Chen  [Che91b]  and  Fokkink  and  Klusener  [FK91]  offers  the  first  examples  of  decidability  and 
axiomatization  for  real-time  calculi  based  on  dense  time. 

In  this  paper  we  introduce  a  time-abstracting  (bisimulation)  equivalence  between  real-time 
processes,  i.e.  in  comparing  real-time  processes  we  shall  abstract  away  from  passage  of  time 
1 .  Seemingly,  such  an  equivalence  would  yield  very  little  information  (if  any  at  all)  about  the 
timing  behaviour  of  a  real-time  system.  However,  if  the  real-time  system  is  a  combination 
of  real-time  systems,  0(Pi,...,P„)  say,  time-abstracted  reasoning  will  at  least  yield  some 
information  about  the  relationship  between  the  concrete  timing  properties  of  the  components 
Pi,. . .  ,P„.  In  fact,  as  we  shall  prove  as  a  main  theorem  of  this  paper,  in  a  certain  formal  sense 
all  timing  aspects  of  a  real-time  system  may  be  revealed  in  this  manner. 

As  the  second  main  contribution  of  this  paper,  we  demonstrate  that  the  t  ime-abstracted  equiva¬ 
lence  is  decidable  using  essentially  classical  methods  based  on  a  finite-state  symbolic,  structured 
operational  semantics.  The  symbolic  semantics  is  based  on  a  discrete  version  of  the  standard 
(continuous)  operational  semantics.  In  order  to  obtain  completeness  it  is  essential  that  the 
symbolic  semantics  is  based  on  a  sufficiently  fine  “granularity’’.  In  fact,  we  show  that  the 
“granularity"  required  is  linearly  dependent  on  the  number  of  parallel  components. 

To  further  motivate  the  usefulness  of  time-abstracted  equivalence  consider  the  combined  system 
in  Figure  1  consisting  of  two  (disposable)  media  .4  and  B. 


Figure  1:  A  Combined  Medium 

Functionally,  the  two  media  are  nearly  identical:  they  accept  messages  on  the  left  port  passing 
them  on  to  the  right  port.  However,  taking  time  into  account,  there  are  important  differences 
between  the  media:  after  having  accepted  a  message  on  port  a.  A  is  immediately  able  to  deliver 
the  massage  on  port  b.  However,  if  the  message  has  not  been  taken  after  a  delay  of  ta  a  timeout 
will  occur  and  the  massage  is  lost.  In  contrast,  the  medium  B  will  never  lose  a  message  once  it 
has  been  accepted.  However,  a  message  can  only  be  accepted  on  port  b  after  some  initial  delay 
ts.  Using  the  timed  calculus  of  Wang  [Wan90,  Wan91b.  Wan91a]  the  two  media  A  and  B  may 
be  specificed  as  follows: 


A  =  a.(h.nil  +  f(t0).r.nil) 

B  d=  e(4).6.c.nil 

It  should  be  obvious  that  even  from  a  time-abstracted  point  of  view,  the  behaviour  of  the 
combined  system  (A  j  B)\b  is  highly  dependent  on  the  timing  parameters  ta  and  tj.  Essentially, 
if  <„  >  ti,  the  combined  system  will  function  as  a  proper  (disposable)  medium,  i.e.: 

(A  |  B)\b  i  a.c.nil  (1) 


'This  abstraction  is  very  similar  to  the  abstraction  from  internal  computation  in  classical  process  algebras. 
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where  «  denotes  our  (weak)  time-abstracting  equivalence In  contrast,  if  tt  >  t„,  the  combined 
medium  may  not  be  able  to  successfully  deliver  messages;  in  fact  the  following  will  hold 2  3: 

( A  |  B)\b  as  a.(T  n'l  +  r.Z.nil)  +  r.o.c.nil  (2) 

Even  though,  we  gain  information  about  the  relationship  of  the  timing  behaviours  of  A  and 
B  in  both  (1)  and  (2),  we  have  no  information  about  the  timing  behaviour  of  the  combined 
system.  Obviously,  in  the  case  (1)  a  message  can  be  delivered  on  port  c  after  a  delay  of  less 
than  tt  from  the  acceptance  of  the  message.  Using  the  (weak)  timed  bisimulation  equivalence 
from  [Wan91a]  such  properties  can  be  specified: 

(.4  |  B)\b  sa  a.£(tj).c.nil4 

Alternatively,  one  can  express  such  explicit  timing  properties  using  Timed  Modal  Logics,  e.g. 
[ACD90,  HLW91,  HNJ92,  RH92].  However,  we  can  also  formulate  explicit  timing  properties  us¬ 
ing  time- abstracted  equivalence  by  resorting  to  imp/icif  specifications:  i.e.  instead  of  specifying 
properties  of  5  =  (A  |  B)\b  directly  we  specify  properties  of  the  system  5  in  certain  contexts. 
Concretely,  specifying  that  5  must  be  able  to  deliver  on  port  c  after  a  delay  of  no  more  than  d 
after  acceptance  on  port  c  can  be  expressed  as  follows: 

(a.(c.u). nil  +  c(d).r.nil)  |  5)\(a,c)  &  te.nil  (3) 

where  w  is  a  distinguished  (success)  action.  Here,  we  are  exploiting  the  maximal  progress 
property  of  the  calculus  in  [Wan91a]  5. 

The  previously  announced  main  theorem,  that  all  explicit  timing  properties  can  be  captured 
using  time-abstracted  equivalence,  can  now  be  made  more  precise:  we  show  that  implicit  time- 
abstracting  specifications  of  the  form  (3)  precisely  characterizes  timed  bisimulation  equivalence. 
That  is,  two  timed  processes  are  timed  bisimulation  equivalent  just  in  case  they  satisfy  the  same 
implicit  time-abstracted  specifications.  Thus,  without  any  loss  of  discriminating  power,  one 
may  use  time-abstracting  bisimulation  equivalence  instead  of  timed  bisimulation  equivalence. 

The  outline  of  the  paper  is  as  follows:  in  section  2  we  review  the  timed  calculus  of  [Wan90, 
Wan91b,  Wan91a]  together  with  the  notion  of  timed  bisimulation;  in  section  3  strong  and  weak 
notions  of  time-abstracted  bisimulations  are  introduced;  in  section  4  we  prove  as  our  first  main 
theorem  that  implicit  time-abstracting  specifications  are  as  discriminating  as  timed  bisimula¬ 
tion;  section  5  contains  our  second  main  contribution:  decidability  of  strong  and  weak  time- 
abstracted  bisimulation  equivalence.  Finally,  in  section  6  we  give  some  concluding  remarks.  To 
achieve  readability  while  maintaining  credibility  we  enclose  full  proofs  in  the  appendices. 


2  Timed  Processes 

2.1  Syntax  and  Semantics 

The  language  we  use  to  describe  timed  processes  is  essentially,  Milner’s  CCS  extended  with  a 
delay  construct  e(d).P.  Informally,  t(d).P  means  “wait  for  d  units  of  time  and  then  behave  like 
P”,  where  d  €  is  a  nonnegative  real. 


2 Weak  indicating  that  i  also  abstracts  from  internal  computation. 

3The  summand  •  •  •  r.a.e.nil  reflects  that  messages  may  successfully  be  delivered  in  case  A  delays  sufficiently 
long  before  accepting  a  messages  as  this  will  reduce  the  remaining  delay  for  B. 

4The  displayed  equivalence  does  in  fact  not  hold  as  the  delay  required  before  the  delivery  depends  on  the 
delay  before  the  acceptance.  Using  time-variables  as  in  [WanDlb]  a  valid  equation  would  be:  (/4|B)\6  m 
a@t.c(1t  —  t).c.nil 

5  Maximal  progress  means  that  time  is  not  allowed  to  pass  if  a  system  can  perform  internal  computation. 
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As  in  CCS,  we  assume  a  set  A  =  A  U  A  with  a  =  a  for  all  a  €  A,  ranged  over  by  or,$ 
representing  external  actions,  and  a  distinct  symbol  r  representing  internal  actions.  We  use 
Act  to  denote  the  set  A  U  {r}  ranged  over  by  a,b  representing  both  internal  and  external 
actions. 

Further,  assume  a  set  of  process  variables  ranged  over  by  A. 

We  adopt  a  two-phase  syntax  to  describe  networks  of  regular  timed  processes.  First,  regular 
timed  process  expressions  are  generated  by  the  following  grammar: 

E  ::=  nil  |  A'  |<(d).£  |  a.E  \  E  +  E  \  X  ='  E 

We  shall  restrict  process  expressions  to  be  well-guarded  in  the  following  sense: 

Definition  1  A  is  well-guarded  in  E  if  and  only  if  every  free  occurrence  of  X  in  E  is  within 
a  subexpression  (a  guard)  of  the  form  a.F  in  E. 

E  is  well-guarded  if  and  only  if  every  free  variable  in  E  is  well-guarded  in  E,  and  for  every 
subexpression  of  the  form  X  d=  F  in  E,  X  is  well-guarded  in  F.  O 

Closed  and  well-guarded  expressions  generated  by  the  grammar  above  are  called  regular  timed 
processes.  Networks  of  regular  timed  processes  are  described  by  CCS  parallel  composition: 

Pi \-\Pn 

where  P,  are  regular  timed  processes.  For  simplicity,  we  have  ignored  the  other  CCS  operators. 
However,  the  results  of  this  paper  can  be  easily  extended  to  more  general  types  of  networks 
modelled  by  the  combination  of  parallel  composition,  restriction  and  relabelling: 

(P,[51]|...|P„[5„])\A 


Table  2:  Delay  Rules  for  Timed  Semantics  . 
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We  will  use  P,  Q  to  range  over  timed  processes. 

A  timed  operational  semantics  for  the  language  has  been  developed  in  [Wan90].  We  present 
the  transition  rules  in  two  groups:  rules  for  actions  in  table  1  6 7 8  and  rules  for  delays  in  table  2 

7 

Note  that  the  side  condition  for  the  delay  rule  of  parallel  composition  is  to  guarantee  that  the 
parallel  processes  satisfy  the  maximal  progress  assumption,  that  is,  a  timed  process  will  never 
wait  if  it  can  perform  an  internal  action  r.  The  condition  is  formalized  by  means  of  Sortj(P) 
defined  inductively  on  the  structure  of  processes  P.  in  table  3.  Intuitively,  Sortj(P)  includes  all 
external  actions  that  P  is  able  to  perform  within  d  time  units;  whereas  Sortj(P)C\Sortj(Q)  =  0 

8  means  that  P  and  Q  cannot  communicate  with  each  other  within  d  time  units. 

Definition  2  Given  a  process  P,  we  define  Sort0(P)  =  0  and  Sortc(P)  for  c  ^  0  to  be  the 
least  set  satisfying  the  equations  9  given  in  table  3.  O 


Sorfc(nil) 
Sortc(a.P) 
Sortc(r.P) 
Sortc(e(d).P) 
Sortc(P  +  Q) 
Sortc(X) 
Sortc(P\Q) 


0 

{*) 

0 

Sartc+d(P) 

Sortc(P)  U  Sortc(Q) 
Sortc{P)  [X  ='  P] 
Sortc(P)  U  Sortc(Q) 


Table  3:  Equations  for  Sortc(P)  . 


The  following  properties  of  timed  processes  will  be  often  referred  in  the  later  sections. 

Proposition  1 

J.  (maximal  progress)  If  P  P‘  for  some  P1 ,  then  P  —  P"  for  no  d  and  P" . 

2.  (time  determinism)  Whenever  P  —  P‘  and  P  —  P"  then  P’  =  P" . 

3.  (persistency)  If  P  — ^  P‘  and  P  — —  Q  for  some  P1  and  Q,  then  P’  -2-  Q‘  for  some  Q‘ . 

4.  (time  continuity)  For  all  c,d  and  P",  P  '  — — ^  P"  iff  P  — —  P’  P"  for  some  P’ .  □ 

We  end  this  section  with  notation: 

•  P  stands  for  a  network  P]|...|Pn  where  P,  are  regular  timed  processes. 

•  Whenever  P  P\  Pi  stands  for  P'  10  :  note  that  Pd  is  well-defined  due  to  time- 
determinism  property  stated  above. 

•  Px  stands  for  Pf,\...\P£n  for  x  =  (xlt 


6Note  that  apart  from  the  rule  for  e(O)./3,  the  action  rules  are  exactly  the  same  as  in  CCS. 

7In  table  2,  we  use  d  to  stand  for  a  non-zero  real;  this  implies  that  a  ((0)  transition  can  never  be  inferred 
by  the  inference  rules.  However,  we  shall  apply  the  convention  that  P  — -  P  for  all  P 

8Here,  Sortd(Q)  is  defined  to  be  the  set  {a  |  o  e  Sortj(Q)  }. 

'"In  table  3,  c— d  is  defined  to  be  c  —  d  if  c  >  d,  0  otherwise. 

,0Note  that  P°  stands  for  P  following  the  convention  that  P  P  for  all  P. 
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Conceptually,  one  can  imagine  each  component  P,  of  a  network  T5  to  be  equipped  with  a 
private  clock.  All  clocks  proceed  at  the  same  speed  and  a  clock-value  will  be  reset  to  0  when 
the  corresponding  component  perform  a  real  action;  ~P  denotes  the  state  of  ~P  in  which  the 
clock-values  are  xt, ...,  z„. 

2.2  Timed  Bisimulation 

We  have  developed  a  labelled  transition  system:  (Vr, — >, C)  where  Vr  is  the  set  of  timed 
processes  generated  by  the  two-phase  syntax;  — >  is  the  least  relation  satisfying  the  inference 
rules  given  in  table  1  and  table  2;  C  is  the  set  of  labels,  Act  U  {((d)  |  d  €  7?+}.  To  compare 
timed  processes,  strong  and  weak  notions  of  timed  bisimulation  have  been  defined  based  on 
this  transition  system  in  [Wan90]. 

Definition  3  (strong  timed  bisimulation)  A  binary  relation  S  on  Vr  is  a  strong  timed  simula¬ 
tion  if  ( P. ',  Q)  €  S  implies  that  for  all  a  €  Act  and  d  €  72+ , 

1.  Whenever  P  -i-»  P'  then,  for  some  Q' ,  Q  Q'  and  (P',  Q')  €  5 

2.  Whenever  P  P'  then,  for  some  Q',  Q  Q‘  and  (P',  Q')  6  S 

We  call  such  a  simulation  S  a  strong  timed  bisimulation  if  it  is  symmetrical.  The  largest  strong 
timed  bisimulation  is  called  strong  timed  equivalence,  denoted  ~.  □ 

Weak  timed  equivalence  is  defined  by  abstracting  away  from  internal  actions. 

Definition  4 

1.  P^Q  if />(-%)*<? 

2.  P  ==>  Q  if  P(-^Y  -2* 

3.  pMq  if  P(-?->)m  ^  (-^)V..(-L,)*  ^  Where  d  =  £,<„  d,.  □ 

Definition  5  (weak  timed  bisimulation)  A  binary  relation  S  on  Vr  is  a  weak  limed  simulation 
if  ( P ,  Q)  €  S  implies  that  for  all  a  €  Act  and  d  €  7Z+, 

1.  Whenever  P  -2-*  P'  then,  for  some  Q',  Q  ==>  Q'  and  (P\  Q')  6  5 

2.  Whenever  P  P'  then,  for  some  Q',  Q  =£  Q'  and  (P',  Q')  e  S 

We  call  such  a  simulation  S  a  weak  timed  bisimulation  if  it  is  symmetrical.  The  largest  weak 
timed  bisimulation  is  called  weak  timed  equivalence,  denoted  ss.  □ 

In  [Wan91a],  it  has  been  shown  that  ~  is  a  congruence  w.r.t  all  CCS  operators  and  ss  is  a 
congruence  w.r.t.  all  the  other  operators  except  summation  and  recursion. 


3  Time  Abstracted  Equivalences 

In  analyzing  a  large  system,  we  often  need  to  make  proper  abstractions  according  to  what 
properties  of  the  system  we  are  interested.  One  such  example  is  weak  timed  equivalence, 
which  abstracts  away  from  internal  actions.  In  this  section,  we  develop  notions  of  bisimulation 
abstracting  away  from  both  time  delays  and  internal  actions. 
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Definition  6  (abstracting  away  from  time) 

1.  P-^*QifP(^)'Q 

2.  P  Q  ifP  Q  D 

For  example,  e(2).a.P  -h»  e(0.3).a.P,  ...,  c(2 ).a.P  — o.P.  Here,  we  simply  consider  a  timed 
transition  like  P  Q  as  an  empty  transition  P  —•  Q  where  the  quantitative  part  i.e.  d 
of  the  transition  is  ignored.  This  assumes  that  the  observer  (or  environment)  who  makes  the 
observation  is  insensitive  to  time-quantities.  Naturally,  we  may  identify  two  processes  if  they 
can  not  be  distinguished  by  any  time  insensitive  environment. 

Definition  7  (strong  time  abstracted  equivalence)  A  b.narv  relation  S  on  Pr  is  a  strong  time 
abstracted  simulation  if  ( P,Q )  G  S  implies  that  for  all  a  €  Act  and  d  €  7S+, 

1.  Whenever  P  — %  P'  then,  for  some  Q',  Q  Q'  and  (P',Q')  €  S 

2.  Whenever  P  ^  P'  then,  for  some  Q',  Q  -U  Q'  and  (/>',  Q')  €  5 

We  call  such  a  simulation  S  a  strong  time  abstracted  bisimulation  if  it  is  symmetrical.  The 
largest  strong  time  abstracted  bisimulation  is  called  strong  time  abstracted  equivalence,  denoted 
~.  □ 

For  example,  c(2).r.nil|c(l)./9.nil  ~  r.nil|/3.nil  ~  T./i.nil  +  d.r. nil.  Note  that  in  terms  of  timed 
bisimulation  equivalence  ~,  there  is  no  regular  process  equivalent  to  the  parallel  process. 

We  make  a  further  abstraction  to  abstract  away  from  internal  actions. 

Definition  8  (abstracting  away  from  time  and  r) 

1.  P=U,Q  UP(lQ  U  -A-, >)‘Q 

2.  P  =£*  Q  ifP  Q  Q 

Definition  9  (weak  time  abstracted  equivalence)  A  binary  relation  S  on  Vr  is  a  weak  time 
abstracted  simulation  if  (P,  Q)  G  <5  implies  that  for  all  o  G  Act  —  {r)  and  8  G  {r}  U  {t(d)  |  d  G 

n+}, 

1.  Whenever  P  P'  then,  for  some  Q',  Q  ==t*  Q'  and  ( P',Q' )  €  S 

2.  Whenever  P  P'  then,  for  some  Q' ,  Q  ==*  Q'  and  [P',  Q')  G  S 

We  call  such  a  simulation  S  a  weak  time  abstracted  bisimulation  if  it  is  symmetrical.  The 
largest  weak  time  abstracted  bisimulation  is  called  weak  time  abstracted  equivalence,  denoted 


Now,  we  can  further  simplify  our  example  process  t(2).r.nil|e(l)./?.nil  to  d.nil  by  the  equation: 
c(2).T.nil(c(l)./?.nil  w  ft. nil. 

It  seems  that  every  timed  process  would  be  time-abstracted  equivalent  to  an  untimed  process 
which  contains  no  delay-construct.  This  is  not  true  for  ~.  For  instance, 

(£(l).o.nil|/?.(r.nil  +  d.u.\nil))\{o}  Pcc, 
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Figure  2:  Ordering  Timed  and  Time-Abstracted  Equivalences  with  Strength. 

for  all  untimed  processes  P^.  However,  it  is  true  for  weak  time  abstracted  equivalence  that  for 
each  timed  process  P,  there  will  be  an  untimed  process  Pcc,  such  that  P  ~  Pcct.  For  instance, 
it  is  easy  to  prove  (e(l).Q'.nilj^.(r.nil  +  o.ai.nil))\{o}  i  (7.a.nil|/?.(T.nil  +  Q.u>.nil))\{ct}. 

We  conclude  this  section  with  the  commuting  diagram  shown  in  figure  2,  which  illustrates 
the  relationship  between  timed  and  time-abstracted  equivalences.  The  arrow  in  the  diagram 
should  be  understood  as  set  inclusion,  that  is:  ~C~Cas  and  ~CssCa:.  The  proofs  of  these 
inclusions,  that  they  are  strict  and  also  the  only  inclusions  among  the  four  equivalences  are 
straightforward. 


4  Implicit  Time  Abstraction 

In  this  section  we  present  our  first  main  theorem:  two  timed  processes  are  strong  (weak) 
timed  equivalent  if  and  only  if  they  satisfy  the  same  strong  (weak)  implicit  time-abstracted 
specifications.  Here,  a  strong  implicit  time-abstracted  specification  of  a  process  P  is  an  equation 
of  the  form: 

A  \P  ~  B  (4) 

where  A  and  B  are  real-time  processes.  That  is  P  ~  Q  if  and  only  if  P  and  Q  satisfy  the 
same  equations  of  the  form  (4).  Alternatively,  the  results  in  this  section  say  that  ~  (»r)  is  the 
coarsest  equivalence  contained  in  ~  (~)  which  is  preserved  by  the  parallel  composition  of  our 
calculus  u. 

Theorem  1  P  ~  Q  if  and  only  if  P\N  ~  Q\N  for  all  A’. 

Proof:  Only  If:  As  ~  is  preserved  by  all  operators  of  ihe  calculus  and  since  ~  is  contained  in 
~,  it  is  obvious  that  this  direction  holds. 

If:  We  show  that  the  relation: 

TZ  =  {(P,Q)  |  for  all  JV,  P\N  ~  Q|jV} 
is  a  strong  timed  bisimulation.  Thus  consider  ( P.Q )  6  TZ. 

First  consider  an  action-transition  P  -2-*  P'  and  let  {<?j, _ Qm}  be  the  set  of  all  a-derivatives 

for  Q  n. 

In  case  m  =  0  (i.e.  Q  has  no  a-transitions),  P\N  Q  | N  for  N  =  a.tr.nil  +  r.nil,  where 
tu  is  a  distinguished  action  not  occurring  in  neither  P  nor  Q.  However,  this  contradicts  the 
assumption  that  (P,  Q)  €  TZ. 


"As  ~  is  preserved  by  all  operators  of  the  calculus.  ~  is  in  fact  the  congruence  induced  by  This  fact  does 
not  extend  to  the  weak  case,  as  st  is  not  —  as  usual  —  preserved  by  +. 

"We  use  the  easily  established  fact,  that  all  processes  definable  in  our  calculus  are  image-finite  in  the  sense 
that  the  set  of  derivatives  under  any  action  is  finite. 
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Thus,  m  >  0.  Now,  assume  that  (P‘,  Q,)  &  R  for  all  i.  We  shall  show  that  this  leads  to  a 
contradiction.  However,  under  this  assumption  it  follows  from  the  definition  of  R  that  for  each 
i  there  exists  a  process  Si  such  that  P“  \S,  Qi  \  Si.  Now  let: 

S  ='  a.  S'  S'  Hi  +  r.S' 

i=l 

where  t u,-  axe  distinct  actions  not  occurring  in  neither  P  nor  Q.  Note,  that  S'  is  a  time-stopped 
process  (and  P  |  S'  is  time-stopped  for  any  P)  in  the  sense  that  no  delay-transitions  can  take 
place.  Now  we  claim  that  P\S  Q\S  contradicting  that  ( P,Q )  6  R.  To  argue  for  this 
consider  the  transition: 

P 1  S  P'  |  S'  (5) 

A  possible  match  for  Q  |  S  must  be  of  the  form  Q  |  S  R.  Due  to  the  maximal  progress 
property  of  our  calculus,  and  as  S'  (and  hence  Qi  \  S')  is  time-stopped,  the  only  possible  such 
transitions  are  either  of  the  form  (a)  Q  \  S  Qi  \  S'  or  of  the  form  (b)  Q  \  S  T»  Q"  \  S  with 
Q  Q".  Clearly,  transitions  of  the  form  (b)  can  not  match  (5)  as  P'  |  S'  whereas 

Q"  |  S  -/—-*•  Let  us  thus  compare  behaviours  of  P'  \  S'  and  Q,  \  S':  first  note  that  with  respect 
to  u>i  both  possess  the  following  unique  transitions:  P’  |  S'  P'  \  N,  and  Q,  |  S'  -^4  Q,  \  Si. 
Thus,  if  P*  ( S’  ~  Qi  ( S'  it  follows  that  wt.(P'  j  A7,)  ~  w,.(Q,  ( Ar, ).  However,  this  contradicts  the 
assumption  that  P'  |  Si  Q,  \  Si  and  the  easily  established  fact  that  whenever  a.U  ~  a.V  then 
also  U  ~  V.  Thus,  Q  |  S  has  no  match  for  the  transition  (5)  of  P  |  S  and  hence  P  |  S  ^  Q  |  S 
contradicting  the  assumption  that  ( P ,  Q)  6  R. 

Now  consider  a  delay  transition  P  -^>  P' .  If  Q  then  clearly  P  \  S  Q  \  S  for  AT  = 
c(rf).ui.nil  contradicting  (P,  Q)  €  R-  Otherwise  assume  that  Q  Q'  (due  to  time-determinism 
Q'  is  unique).  Assume  (P\  Q')  £  R,  that  is  P'  \  S'  Q'  \  S'  for  some  S'.  In  this  case 
P  |  S  £  Q  |  S  for  S  —  t(d).N'  again  violating  the  basic  assumption  that  (P,  Q)  €  R.  □ 

Example.  Consider  the  two  processes  l3: 

P  =  t(\).a\b  Q  =  f>.t(l).a  -I-  e(l).(a  |  b) 

It  is  obvious  that  these  two  processes  are  not  strong  timed  equivalent,  i.e.  P  -/*  Q.  To  see  this, 
note  that  P  possesses  the  following  transition-sequence: 

P  c(.5).a  1 6  — t(.5).a  |  nil  a  |  nil 

The  only  possible  match  Q  for  is  the  following: 

Q  i>.«(l).a  -f  t(.5).(a  |6)  e(l).a  e(.5).a 

However,  it  is  clear  that  this  is  not  a  proper  match  as  a  | nil  -%  whereas  t(.5).a  Now 
using  the  construction  of  the  above  theorem  1  we  obtain  the  following  process: 

S  =  c(.5).6.u>i.«(.5).(a.te  -f  r.nil) 


which  distinguishes  P  and  Q,  i.e.  P\S  Q\S.  O 

We  have  a  similar  result  for  weak  timed  and  time  abstracted  equivalences. 

Theorem  2  P  «  Q  if  and  only  if  P\S  as  Q\S  for  all  S. 

13We  are  using  the  convention  of  dropping  trailing  nil’s.  That  is.  we  write  simply  a  for  a. nil. 


Proof:  Only  if:  As  ss  is  preserved  by  parallel  composition  and  since  a:  is  contained  in  it  is 
obvious  that  this  direction  holds. 

If:  We  show  that  the  relation:  ft  =  {(P,  Q)  |  for  all  .V.  P\ A’  ~  Q|,V}  is  a  weak  timed  bisimu¬ 
lation.  A  complete  proof  is  given  in  the  full  version  of  the  paper  [LW93].  O 

5  Decidability 

From  the  delay  rules  in  table  2,  we  can  easily  see  that  the  timed  processes  are  infinite-state  w.r.t. 
— •  and  also  — ».  For  example,  <(1).P|Q  — e(0.3).P|(3  ...  -U  c(0. 0005). Pit?  —• 

...  — T*  P\Q.  The  infinite-stateness  makes  the  decidability  problem  of  ~  and  ~  notoriously 

hard. 

To  achieve  decidability,  we  shall  study  a  particular  class  of  processes  Vs  ranged  over  by  F,  (J, 
called  integer  processes  in  which,  only  naturals  are  allowed  to  occur  in  a  delay  operator  c(d). 
However,  we  should  point  out  that  the  decidability  result  is  easily  extended  to  processes  using 
rational  numbers  in  delay  operators:  before  comparing  two  such  processes  simply  multiply  all 
delays  with  a  common  constant,  sufficiently  large  to  make  all  delays  integers. 

In  this  section,  we  prove  that  strong  (weak)  time  abstracted  equivalence  over  integer  processes 
is  decidable.  The  proof  is  constructed  in  two  steps.  First  ,  we  show  that  the  state-space  of  a 
timed  process  can  be  partitioned  into  equivalence  classes  according  to  the  notion  of  time  region 
due  to  Alur  and  Dill,  [AD90].  Secondly,  we  develop  a  time-step  semantics  called  k-semantics 
which  is  parameterized  with  a  granularity  1  /fc.  Intuitively,  the  k-semantics  describes  how  a 
process  shall  behave  in  every  1/k  time  units.  The  idea  is  to  use  each  state  of  such  a  time- 
step  semantics  to  represent  an  equivalence  class  of  states  of  the  timed  semantics.  Based  on 
the  parameterized  fc-semantics  we  define  a  family  of  symbolic  time  abstracted  equivalences 
which  is  also  relativized  to  the  granularity  1/k.  It  turns  out  that  ~„+2  coincides  with  ~,  that 
is: 

P  ~  ^  if  and  only  if  P  ~n+2  C? 

where  n  is  the  maximal  number  of  components  in  the  networks  P  and  Q. 

Since  the  integer  processes  in  the  (n  +  2)-semantics  are  finite-state.  ~n+2  can  be  checked  using 
the  existing  techniques  and  algorithms  for  bisimulation-checking,  such  as  [KS90,  SVS9,  PTS7, 
JGZS9,  CPSS9]  and  hence  so  can  ~.  Finally,  we  extend  the  results  to  weak  time  abstracted 
equivalence. 

5.1  Partitioning  State— Space  into  Equivalence  Classes 

To  illustrate  the  idea,  we  consider  a  simple  regular  process: 

Pd=  o.Q  +  t(l).T.R 

The  process  may  offer  a  before  1  and  will  time  out  at  1.  Indeed  it  is  infinite-state  since 
by  performing  an  empty  transition  (delay)  it  may  reach  a  continuum  of  states,  { Pz\x  <  1}. 
However,  P 1  ~  Pv  for  all  x,  y  <  1,  that  is,  {Pz |x  <  1}  is  an  equivalence  class. 

Naturally,  we  may  say  that  all  time  points  such  as  x  =  0, 0.1, ...,  0.9  in  the  region  i  <  1  are 
equivalent  in  the  sense  that  they  give  rise  to  an  equivalence  class  of  states.  This  motivates  a 
notion  of  equivalence  over  time  points  in  a  multi-dimensional  time  vector. 

Let  5  and  y  range  over  7?.",  understood  as  time  points  in  the  n-dimensional  time  vector.  For 
x  €  ft"  and  d  6  ft+,  we  shall  write  x  +  d  for  (ii  +  d,  ...,x„  4-  d). 


Definition  10  1  and  y  are  equivalent,  denoted  bv 
x  =  y  if 

1.  Vi i  :  (|x,J  =  Ly.J ). 

2.  Vi, j  :  ({ar,}  <  {x>}  <=»  {y.}  <  {j/j})  and 

3.  Vi :  ({i,}  =  0  <=>  {jn}  =  0). 

where  \d\  is  the  lower  integer  part  of  d  and  {<i}  is  the  fractional  part  of  d.  The  equivalence 
classes  of  are  called  time  regions.  □ 

The  definition  above  is  the  standard  one  for  time  region,  taken  from  [AD90].  The  first  clause 
requires  that  the  lower  integer  parts  of  x  and  y  must  be  equal;  the  second  clause  requires  that 
the  fractional  parts  of  x  and  y  must  be  ordered  in  the  same  way;  the  third  requires  that  some 
fractional  parts  of  x  are  0  if  and  only  if  the  corresponding  fractional  parts  of  y  are  0. 

The  following  is  an  important  property  of  =,  saying  that  equivalent  points  — which  must  be  in 
the  same  region — can  always  reach  the  same  regions  by  delays. 

Lemma  1  Whenever  x  =  y,  then  for  all  d  €  7c+ .  x  +  d  =  y  +  e  for  some  e  £  7 ?+ . 

Proof:  It  is  given  in  the  full  version  of  the  paper  [LYV93].  O 

We  intend  to  establish  that  for  any  integer  parallel  process  P,  a  time  region  denotes  an  equiv¬ 
alence  class  of  states  P1*1  14  in  terms  of  ~.  Thus,  two  states  in  a  time  region  should  agree  on 
what  actions  they  can  perform  and  then  reach  the  same  regions:  they  should  also  be  able  to 
reach  the  same  regions  by  delays. 

Lemma  2  For  all  P  £  VN,  d  £  TZ+  and  a  €  Act.  whenever  x  =  y.  then 

1.  P*  — *  T77*  for  some  T7  and  x',  implies  P'v  for  some  y‘  =  x‘  and 

2.  P?  P*+J  implies  P“  P*+'  and  x  +  d  =  y  +  e  for  some  e  £  TZ+ . 

Proof:  It  is  given  in  the  full  version  of  the  paper  (LW93).  □ 

Now,  we  are  ready  to  state  the  partition  theorem,  which  asserts  that  the  infinite  state-space 
of  integer  processes  can  be  divided  into  equivalence  classes  according  to  time  regions.  In  fact, 
many  of  such  classes  belong  to  a  large  equivalence  class  and  the  number  of  such  classes  is  finite. 

Theorem  3  (partition)  Whenever  x  =  y,  then  Px  ~  Pf  for  all  P  £  VN. 

Proof:  By  lemma  2,  it  should  be  obvious  that  the  relation:  5  =  {(P1,  P5)  |  x  =  y,  P  £  Vn]  is 
a  strong  time  abstracted  bisimulation.  □ 

In  the  next  section,  we  want  to  find  a  representative  state  for  each  equivalence  class  and  then 
construct  a  symbolic  transition  system  in  terms  of  the  representative  states.  In  order  to  do  so, 
we  need  first  find  a  representative  point  for  each  time  region  of  IZ’)  for  a  given  n. 

Let  Jif  denote  the  naturals.  We  define  the  set  of  grids  with  granularity  l/k:  A4  =  {m/k  |  m  £ 
A/-}  ranged  over  by  g,h  and  the  set  of  grid  points  with  granularity  l/k:  .V**  =  {r  |  1  < 
i  <  n,r,-  £  A/*}  ranged  over  by  r,s.  An  obvious  choice  is  to  use  the  the  grid  points  Ar"  as 
representative  points  for  TV).,  for  some  fixed  granularity  1/m. 
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We  claim  that  the  grid  points  with  granularity  l/(n  +  1)  are  enough  to  represent  the  n- 
dimensional  time  points  7?"  ,  that  is. 

Lemma  3  For  all  x  £  71" ,  there  exists  r  £  Ar"+l  such  that  7  =  r. 

Proof:  It  is  given  in  the  full  version  of  the  paper  [LW93],  O 

Clearly,  the  lemma  above  will  hold  for  any  granularity  finer  than  l/(n  +  1)  such  as  l/(n  + 
2),  l/(n  +  3)  etc.  However,  it  doesn’t  hold  for  a  granularity  coarser  than  1  /(n  +  1 ).  To  see  this, 
consider  the  case  of  n  =  2:  with  the  granularity  1/2  one  can  not  find  a  grid  point  representing 
(1/3, 2/3). 

Thus  l/(n  +  1)  is  the  coarsest  granularity  allowing  any  time  region  in  the  n-dimensional  time 
space  to  be  represented  up  to  =.  However,  we  need  a  slightly  finer  granularity  (which  is  in 
fact  1  /(n  +  2)  as  shown  in  the  following  lemma)  in  order  for  a  region  to  reach  all  regions  by 
grid-valued  delays,  which  are  reachable  by  real-valued  delays.  The  following  lemma  will  be 
heavily  used  in  proving  the  decidability  results. 

Lemma  4  For  all  r  £  .V"+2  and  all  d  £  7l+.  there  exist  r'  £  Ar£+2  and  g  £  .Vn+2  such  that 
r  =  r'  and  r  +  d  ==  >•'  +  g. 

Proof:  It  is  giver,  in  the  full  version  of  the  paper  [LW93].  □ 

Note  that  r'  +  g  £  AT"+it  which  will  prove  an  essential  property  for  the  applicability  of  our 
finitary,  symbolic  semantics  to  follow.  Also,  note  that  it  is  not  always  possible  to  choose  r'  =  f. 
To  see  this,  consider  the  case  of  «  =  2,  r  =  (3/4.0)  and  d  =  1/S.  The  only  possible  choices  for 
g  is  0  and  1/4.  However  in  both  cases  we  see  that  r  +  g  £  f  +  d.  However,  taking  r'  =  (1/2, 0) 
and  g  —  1/4  we  obtain  as  desired  r'  =  r  and  r'  +  g  =  7  +  d. 


P  -i**  P' 

a-P  ——*k  P 

t(C ).P  P' 

P  P' 

Q^kQ1 

P-^k  P' 

[A'  ='  P) 

P  +  Q  -2-**  P' 

P  +  Q  Q' 

X  P' 

P^-*kP' 

-"Q 

p^kp' 

Q^k  Q' 

P\Q  -=-*  P’lQ 

P\Q  -^k  P\Q' 

P\Q  -A 

t  P'\Q' 

Table  4:  Action  Rules  for  {-Semantics. 

nil 


nil 


e(r  +  -)..P-AU*<(r).JP 


P' 


e(0 ).P  P' 


P  -Z-k  P'  Q  — 
P  +  Q-±*kP'  + 


P^kP'  ,  v.  it] 


P' 


X  ='  P) 


P'  Q^kQ' 


P\Q  P'\Q‘ 


[P\Q  At 


Table  5:  Delay  Rules  for  {--Semantics. 
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5.2  Time-Step  Semantics:  Sampling 

The  timed  semantics  describes  how  a  process  will  behave  at  every  real-valued  time  point  with 
arbitrarily  fine  precision.  This  introduces  the  infinite-stateness  of  timed  processes. 

In  practice,  the  “sampling”  technique  is  often  used  to  analyze  a  system.  Instead  of  doing 
experiment  on  the  system  under  consideration  at  every  time  point,  only  certain  typical  time 
points  are  chosen  to  capture  or  approximate  the  full  system  behaviour.  Based  on  this  idea, 
we  develop  a  time-step  semantics  called  fc-seniantics  relativized  by  the  granularity  1  / k,  which 
describes  how  a  process  shall  behave  in  every  l/k  units  of  time.  To  achieve  finer  precision,  we 
can  choose  a  finer  granularity.  However,  the  timed  processes  will  be  finite-state  for  any  fixed 
granularity  l/k.  As  we  shall  see  latter  it  is  possible  to  completely  capture  time  abstracted 
equivalences  by  sampling  with  a  sufficiently  fine  granularity.  In  fact,  the  granularity  required 
turns  out  to  be  l/(n  +  2)  where  n  is  the  number  of  parallel  components. 

We  present  the  inference  rules  for  the  /.--semantics  in  two  steps:  rules  for  real  actions  in  table  4 
and  rules  for  delays  in  table  5.  Note  that  apart  from  the  index  k  associated  with  the  arrow, 
the  action  rules  are  the  same  as  in  table  1  and  the  delay  rules  are  parameterized  with  k. 

We  claim  that  the  processes  Vs  are  finite-state  w.r.t.  the  transition  relation  — for  any 
non-zero  natural  k.  This  can  be  established  based  on  the  following  facts  on  processes: 


Figure  3:  Transition  Graph  for  e(l).o.nil|/J.nil  with  Granularity  1/2. 

•  There  is  no  infinite  summation  allowed; 

•  All  recursive  definitions  are  well-guarded; 

•  No  parallel  composition  occurs  within  a  recursion: 

•  Every  process  P  must  be  time-stable  after  some  maximal  delay  dm.  in  the  sense  that 

T5**  F'”  15  for  all  d  or  P im  -U. 

Example.  In  figure  3,  we  have  a  transition  graph  for  c( l).o.nil|/?.nil  with  granularity  1/2.  For 
clarity,  we  have  omitted  nil  in  the  graph.  □ 


15Here,  Pim  stands  for  Pfm\...\P*~. 
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5.3  Symbolic  Time  Abstracted  Bisimulation 

We  shall  use  a  grid  state  F  to  stand  for  an  equivalence  class  of  (real-valued)  states.  More 
precisely,  we  define: 

T^1  =  {F  |  x  =  7} 

A  class  like  P ^  shall  be  called  as  a  symbolic  stale  (or  a  symbolic  process).  We  shall  use  R,  S 
to  denote  symbolic  states.  Now,  we  define  a  symbolic  transition  relation  i — >k  over  symbolic 
states  — (classes  of  real-valued  states)  as  follows: 

Definition  11  Forr,s  €  Ark  and  P,Q  €  V\. 

1.  F1  1 F>  ip?  JU*  F 

1  l  ?'  X {T  -%t  ^  □ 

Intuitively,  if  there  is  a  real  transition  in  the  ^-semantics  between  two  grid  states,  then  there  is  a 
symbolic  transition  between  the  two  equivalence  classes  they  represent.  Note  that  the  definition 
above  contains  much  more  information  than  it  looks.  In  fact,_accordingto  the  definition,  we 
can  infer  a  symbolic  transition  like  ~P^  F*^  whenever  F  F  for  some  grid  states 

r'  =  7  and  s'  =  s.  However,  the  numbers  of  grid  states  in  P*7*  and  P1*1  are  finite  and  hence, 

the  symbolic  processes  are  finite-state  w.r.t  the  symbolic  transition  relation  i — >*. 

Like  in  defining  time  abstracted  equivalence,  we  now  abstract  away  from  the  symbolic  time 
steps  between  symbolic  states. 

Definition  12 

1.  R  ~^ok  S  if  R(^kys 

2.  R  — -~*Ofc  5  if  R  -^ok^k-^ok  S  □ 

Definition  13  (strong  symbolic  k-equivalence)  A  binary  relation  S  over  symbolic  states  is  a 
strong  k-simulation  if  (R,  S)  €  S  implies  that  for  all  a  e  Act  and 

1.  Whenever  R  >—*k  R!  then,  for  some  S',  S  ——ok  S'  and  (R\  S')  €  S 

2.  Whenever  R  v^->k  R'  then,  for  some  S',  S  ——Ok  S'  and  (R'.  S’)  6  S 

We  call  such  a  simulation  S  a  strong  k-bisimulation  if  it  is  symmetrical.  The  largest  strong 
k-bisimulation  is  called  strong  sy  ibolic  k-equivalence.  denoted  ~t. 

We  define  F  (J*  whenever  P ^  <F-  O 

Note  that  is  decidable  for  any  fixed  k  because  of  the  finite-stateness  of  symbolic  processes. 
The  following  i"  the  main  result  of  this  section. 

Theorem  4  For  all  F  <5  €  Pjr  and  f,s  €_Af"+2,  F  ~  if  and  only  if  F  ~n+2  where  n 
is  the  maximal  number  of  components  of  P  and  Cj  16 . 

Proof:  For  the  direction: Only /f,  we  show  that  the  relation:  1Z  =  {(F*,<F)  |  r,S  6  A’^+2,  F<5  € 
Vn  and  P7  ~  |  }  is  a  strong  symbolic  (n  +  2)-bisimulation;  for  the  other  direction,  we  show 

16 Note  that  we  can  always  extend  P  or  Q  with  nil-processes  as  auxiliary  components  so  that  they  own  the 
same  number  of  components. 
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that  the  relation:  S  =  {( ~P F,^*)  \  r,s  6  .V“+  2,  P,($  €  Vn  and  P^  ~n+2  Q^1  |  }  is  a  strong 
time  abstracted  bisimulation  up  to  A  complete  proof  is  given  in  the  full  version  of  the 
paper  [LW93].  □ 

We  extend  the  results  to  weak  time  abstracted  equivalence. 

Definition  14 

1.  R  =^ok  S  ifR(Ak  u  ^->k)'S 

2.  R  =$ok  S  if  R  S  □ 

Definition  15  (weak  symbolic  k -equivalence)  A  binary  relation  S  over  symbolic  states  is  a 
weak  k-simulation  if  ( R,S )  €  S  implies  that  for  all  a  €  Act  —  {r}  and  9  6  {XiT}> 

1.  Whenever  R  >-^-*k  R!  then,  for  some  S',  S  ==X>k  5'  and  ( R S')  €  S 

2.  Whenever  R  *-^-*k  Rt  then,  for  some  S',  S  ==*>*  S'  and  (R',  S')  €  S 

We  call  such  a  simulation  S  a  weak  k-bisimulation  if  it  is  symmetrical.  The  largest  weak 

k-bisimulation  is  called  weak  symbolic  k-equivalence,  denoted 

We  define  jPT  4 s*  ($'  whenever  P^  &k  □ 

Finally,  we  achieve  the  decidability  result  for  weak  time  abstracted  equivalence. 

Theorem  5  For  at!  P,l$  6  Vn  and  F,  s  €  Ar"+2,  FiQ1  if  and  only  if  PT  k„+2  Q‘ ,  where  n 
is  the  maximal  number  of  components  of  P  and  Q. 

Proof:  It  is  similar  to  the  proof  for  theorem  4.  A  complete  proof  is  given  in  the  full  version  of 
the  paper  [LW93].  □ 


6  Conclusion 

In  this  paper  we  have  introduced  a  notion  of  time-abstracting  bisimulation  equivalence. 

As  the  first  main  result  of  this  paper,  we  have  demonstrated  that  two  processes  are  interchange¬ 
able  in  any  context  up  to  time-abstracted  equivalence  precisely  when  they  are  timed  equivalent. 
Thus,  by  resorting  to  implicit  specifications  —  i.e.  specifications  of  a  system  in  contexts  —  we 
may  reveal  all  timing  properties  of  a  system. 

As  our  second  main  result  we  have  established  the  decidab  of  the  time-abstracted  equivalence 
by  providing  a  finite-state  and  symbolic  yet  structured,  operational  semantics  of  processes. 
The  symbolic  semantics  can  be  seen  as  sampling  a  process  with  a  given  frequency,  we  prove 
that  sufficiently  frequent  sampling  —  l/(n  +  2)  where  n  is  the  number  of  parallel  components 
—  yields  a  symbolic  equivalence  completely  capturing  the  time-abstracted  equivalence. 

The  minimization  algorithm  presented  in  [ACH92]  can  be  seen  to  minimize  timed  graphs 
[AD90]  with  respect  to  time-abstract  bisimulation  equivalence  even  though  no  notion  of  time- 
abstracted  bisimulation  is  given  in  the  paper.  Despite  the  purpose  of  the  minimization  effort 
being  to  obtain  more  efficient  model-checking  algorithms  with  respect  to  a  real-time  temporal 
logic,  we  believe  that  the  results  of  [ACH92]  can  provide  an  alternative  method  for  deciding 
time-abstracted  equivalences.  However,  we  are  of  the  opinion  that  our  approach  is  simpler  (cer¬ 
tainly  from  a  process  algebraic  point  of  view)  as  it  is  based  directly  on  a  traditional  structured, 
operational  semantics. 
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Recently,  we  have  completed  a  prototype  implementation  of  a  tool-set  for  timed  and  time- 

abstracted  bisimulation  equivalences  based  on  the  methods  described  in  this  paper  and  in  (C92j. 

In  addition  the  tool-set  applies  the  efficient,  local  checking  leclmique  described  in  [La92],  thus 

avoiding  to  explore  the  state-space  more  than  necessary.  We  hope  to  report  upon  this  work  in 

a  forthcoming  paper  [CGL92]. 
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Abstract 

A  theory  of  timewise  refinement  is  presented.  This  allows  the  transla¬ 
tion  of  specifications  and  proofs  of  correctness  between  semantic  models, 
permitting  each  stage  in  the  verification  of  a  system  to  take  place  at  the 
appropriate  level  of  abstraction.  The  theory  is  presented  within  the  con¬ 
text  of  CSP.  A  denotational  characterisation  is  given  in  terms  of  relations 
between  behaviours  at  different  levels  of  abstraction,  and  various  prop¬ 
erties  for  the  preservation  of  refinement  through  parallel  composition  are 
discussed.  An  operational  characterisation  is  also  given  in  terms  of  timed 
and  untimed  tests,  and  observed  to  coincide  with  the  denotational  char¬ 
acterisation. 


1  Introduction  and  general  theory 

Verification  of  time-critical  systems  requires  the  application  of  necessarily  com¬ 
plicated  and  detailed  techniques,  reflecting  the  complex  nature  of  such  systems 
and  the  detailed  and  precise  requirements  upon  them.  Yet  it  is  often  the  case 
that  a  significant  proportion  of  specifications  on  timed  systems  will  be  concerned 
with  logical  behaviour  rather  than  timing  behaviour,  and  proposed  implemen¬ 
tations  will  often  be  correct  with  respect  to  these  parts  of  the  specification  by 
virtue  of  their  functional  properties,  independently  of  their  timing  properties. 
This  paper  proposes  a  way  of  avoiding  the  need  to  carry  out  the  entire  analysis 
of  a  system  at  the  most  complicated  level.  We  investigate  refinement  relations 
between  processes  in  different  models  of  the  CSP  hierarchy  [Ree88].  It  is  impor¬ 
tant  to  identify  which  properties  (such  as  deadlock-freedom  or  determinism)  can 
be  translated  between  models,  since  only  for  such  properties  can  verifications  be 
mapped  up  the  hierarchy.  The  more  mature  and  powerful  techniques  available 
in  the  more  abstract  models,  such  as  model-checking,  algebraic  techniques,  the¬ 
ories  for  deadlock-freedom,  and  simply  more  abstract  reasoning,  may  then  be 
used  in  conjunction  with  the  more  cumbersome  and  difficult  methods  required 
for  the  more  detailed  aspects  of  the  verification. 

This  paper  investigates  two  refinement  relations  in  detail,  both  from  an  untimed 
to  a  timed  model  of  CSP.  The  first  untimed  model  is  concerned  only  with  safety 
specification.  The  second  is  also  able  to  address  fairness  and  (untimed)  liveness 
requirements.  Tne  relationships  between  these  two  models  and  the  timed  infinite 
model  for  timed  CSP  [Sch92,  MRS92]  will  be  presented. 


General  framework 


We  model  a  process  in  terms  of  the  observations  that  may  be  made  of  it,  which 
may  also  be  considered  as  the  behaviours  it  may  exhibit.  If  we  have  a  set  O 
of  all  possible  observations,  then  a  process  is  identified  with  a  subset  of  O. 
The  corresponding  semantic  model  M  consists  of  those  subsets  of  O  that  may 
be  considered  to  represent  some  process.  A  set  of  healthiness  conditions,  or 
axioms,  for  M  are  used  to  characterise  these  subsets  of  O. 

A  programming  language  C  is  used  for  describing  processes.  Each  program  in  C 
is  associated  with  an  element  of  M ,  called  its  semantics  or  meaning,  by  means 
of  a  semantic  function  T  :  C  -4  M-  This  function  is  compositional,  in  the 
sense  that  the  process  associated  with  any  particular  program  depends  only  on 
the  processes  associated  with  its  components,  and  how  these  components  are 
composed. 

Specifications  are  given  in  terms  of  predicates  upon  observations.  A  process  P 
meets  a  specification  S  if  all  of  its  observations  meet  the  corresponding  predicate. 
In  this  case,  we  write  P  sat  5. 

P  sat  5  Vo:C?*(oG^[Pl)  S 

A  program  meets  a  specification  when  its  semantics  meets  it. 

A  process  Pi  is  refined  by  another  process  Pa  when  every  possible  behaviour  of 
Pz  is  also  a  possible  behaviour  of  Pt .  In  this  case  we  write  Pj  C  P2 ,  and  consider 
P2  to  be  more  deterministic  than  Pi,  since  Pj  can  do  everything  P2  can,  and 
possibly  more.  If  Pj  O  P2,  and  Pj  sat  S,  then  it  follows  that  P2  sat  5;  refining 
a  process  maintains  correctness  with  respect  to  specifications.  This  approach 
also  allows  processes  P  to  act  as  specifications:  P2  meets  specification  P  if  it  is 
a  refinement  of  P. 

The  nature  of  the  semantic  model  is  dependent  upon  the  nature  of  the  obser¬ 
vation  set  O.  Observations  describe  executions  of  systems  at  a  particular  level 
of  abstraction.  For  example,  the  use  of  traces  as  observations  provides  only  the 
sequences  of  events  that  a  system  may  perform;  refusals  provide  information 
about  contexts  in  which  a  system  may  deadlock;  and  timed  traces  also  provide 
information  about  the  times  at  which  events  may  occur.  The  use  of  a  particular 
kind  of  observation  depends  on  the  kind  of  specification  we  wish  to  consider, 
and  the  level  of  abstraction  at  which  we  need  to  consider  the  system  in  order  to 
establish  correctness. 

If  we  have  two  different  semantic  models  Ma  and  Me,  based  upon  different  sets 
of  observations  Oa  and  Oc  respectively,  then  we  are  able  to  analyse  systems 
at  two  different  levels  of  abstraction;  and  we  may  ask  when  a  description  at  the 
level  of  Me  refines  a  description  at  the  level  of  Ma- 

We  firstly  employ  a  relation  aUcQ  Oa  x  Oc  to  relate  observations  at  the 
different  levels  of  abstraction.  The  intention  is  that  if  6^  aPc  be  then  bA 
and  be  are  both  descriptions,  at  different  levels  of  abstraction,  of  the  same 
execution;  or  alternatively,  that  64  is  an  abstract  description  of  be-  There  is 
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of  course  no  guarantee  that  the  relation  AP-c  captures  a  useful  relationship 
between  behaviours;  this  depends  upon  the  intended  application  of  the  theory. 
The  refinement  relation  between  processes  from  MA  and  processes  from  Me 
with  respect  to  the  relation  a'R-c  is  then  given  by  the  following  definition. 

Definition  1.1 


PA  QaKc  Pc  O  aKc'1  (Pc)  C  Pa 

□ 

We  consider  Pc  to  refine  Pa  if  Pa  admits  every  abstract  view  of  every  behaviour 

of  Pc. 

Refinement  may  be  promoted  to  programs: 

Definition  1.2 


Qa  Qauc  Qc  ^  ?a\Qa\  E Anc  fclQcl 

□ 

A  verification  of  QA  may  be  translated  into  a  verification  of  Qc  by  use  of  the 
following  inference  rule,  whose  soundness  follows  from  the  definitions  above: 

Qa  sat  A  Sa 
Qa  E^c 

Qc  satc  VbA  •  (bA  aR-c  be  =>  SA) 

We  may  thus  consider  the  specification  V  bA  •  (bA  APc  bc  =>  SA)  to  be  the 
translation  of  Sa-  (Here  we  use  bA  as  the  free  variable  in  SA  ranging  over 
behaviours  in  Oa  in  the  sat  relation;  and  be  similarly.) 

Observe  that  if  Ma  =  Me,  and  the  relation  APc  is  the  identity  relation,  then 
the  refinement  relation  Qatic  is  simply  refinement  under  the  non-deterministic 
ordering;  and  the  rule  states  that  if  a  program  meets  a  specification,  then  so  too 
does  any  refinement  of  it. 

Definition  1.3  A  refinement  relation  A1 Zc  is  said  to  be  complete  if  whenever 
the  conclusion  of  the  above  rule  holds,  then  there  is  some  QA  for  which  the  two 
antecedents  hold.  □ 

Lemma  1.4  The  relation  Aflc  is  complete  if  and  only  if  A'R-c~1  (Q)  is  an 
element  of  MA  whenever  Q  is  an  element  of  Me  □ 

Proof  Assume  that  aR-c~ 1  ( Q)  is  an  element  of  M A  whenever  Q  is  an  element 
of  Me-  Consider  the  conclusion  Qc  sate  V  6^  •  (bA  APc  be  =>  SA).  Then  it 
follows  that  a'P'C-1  (Qc)  sat  SA,  and  also  AHc -i  (Qc)  Qc',  thus  the 

rule  is  complete. 
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If  on  the  other  hand  there  is  some  Q  for  which  aP-c'1 


then  given  any  P  QAnn  Q<  P  w*^  not  meet  the  specification  bA  €  aPc 


(Q)  is  not  a  process, 

(Q) 


This  is  because  AHc~1  ( Q )  is  a  subset  of  P.  so  P  will  contain  some  behaviour 
bA  which  breaks  the  specification.  Yet  the  process  Q  meets  the  timed  version  of 
that  specification.  □ 


Completeness  of  the  refinement  relation  allows  translation  in  the  following  di¬ 
rection: 


Qc  sat  V 6a  •  ( bA  aPc  be  =>  Sa) 
aUc'1  (Qc)  sat  Sa 

The  following  weakening  of  the  conclusion  to  this  rule  is  often  useful: 

3  Qa  •  Qa  Qahc  Qc  A  Qa  sat  Sa 

The  discussion  so  far  has  all  been  on  the  semantic  level.  In  order  to  prove  that 
one  program  refines  another  using  the  above  theory,  it  is  necessary  to  calcu¬ 
late  the  semantics  of  each  program,  and  then  check  that  the  refinement  relation 
holds  between  them.  Compositionality  often  plays  a  critical  role  in  breaking 
down  verification  obligations  on  large  systems  to  manageable  components.  We 
aim  to  exploit  the  compositional  nature  of  program  semant  ics,  and  so  we  investi¬ 
gate  when  refinements  established  between  components  of  abstract  and  concrete 
systems  mean  that  the  entire  abstract  system  is  refined  by  the  entire  concrete 
system. 

A  context  Ca(X)  is  said  to  be  refined  by  another  context  Cc(  Y)  if  there  is  a 
relationship  Ca(Qa)  Qa^c  Qc(Qc)  whenever  QA  C Anc  Qc  Our  aim  is  to 
find  relationships  concerning  the  operators  of  the  language  C  so  that  refinement 
between  contexts  and  programs  may  be  established  without  resorting  to  explicit 
calculation  of  their  semantics,  by  reasoning  at  the  syntactic  level. 

A  syntactic  operator  ©'  of  £  is  a  refinement  of  operator  ©  if  combinations  of 
refinements  of  processes  refine  combinations  of  the  processes: 

Definition  1.5  An  operator  ©'  of  the  language  £  with  arity  a  refines  operator 
©  with  the  same  arity,  if 

(V  t  <  a  •  P,  QAnc  Q,)  =>  ®(Pi  I  i  <  a)  I  <  <  «) 


□ 

The  framework  presented  above  is  very  well-known.  But  to  go  further,  we  must 
focus  on  particular  models,  languages,  and  refinement  relations.  We  are  inter¬ 
ested  in  conditions  for  refinement  relations  to  exist  between  programs  (which 
will  vary  from  relation  to  relation),  and  how  specifications  translate  between 
models. 
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In  this  paper  we  are  concerned  with  mapping  results  up  the  hierarchy  of  un¬ 
timed  and  timed  models  for  CSP.  We  will  concentrate  on  two  relations  in  detail, 
both  from  an  untimed  to  a  timed  model:  one  from  the  untimed  traces  model, 
which  is  used  for  analysis  of  safety  properties;  and  one  from  the  untimed  infi¬ 
nite  traces  model  [Ros88]  (which  also  contains  failures  and  divergences),  a  more 
sophisticated  untimed  model  supporting  consideration  of  liveness  issues. 


2  Communicating  Sequential  Processes 


Syntax 

The  language  of  Communicating  Sequential  is  given  by  the  following  Backus- 
Naur  form: 

P  ::=  Chaos  |  Stop  |  Skip  \  P  ;  P  |  P  t>  P  |  P  □  P  |  a  :  A  — ►  Pa  |  |"1;  P, 
\PA\\AP\PiP\P\A\f(P)  \f~I(P)\X  \pX  oP 


Here  the  set  A  is  a  subset  of  the  universal  set  of  events  S;  /  is  a  subset  of  the  set 
of  indexes  I;  /  is  a  function  E  ->  E;  X  is  drawn  from  the  set  of  process  variables 
VAR\  and  t  is  drawn  from  the  set  of  times,  the  non-negative  real  numbers.  The 
programs  of  the  language  are  those  terms  with  no  free  process  variables. 

The  constructors  given  by  the  BNF  above  represent  respectively:  the  most  non- 
deterministic  process;  deadlock;  successful  termination;  sequential  composition; 
timeout;  external  choice;  prefix  choice;  non-deterministic  choice;  synchronised 
parallel;  interleaving  parallel;  interface  abstraction  or  hiding;  two  forms  of  al¬ 
phabet  renaming;  process  variable;  and  recursion.  For  a  more  detailed  discussion 
of  the  language,  the  reader  is  referred  to  [DaS92b] . 

The  following  abbreviations  often  prove  useful: 


Wait  t 
b—*P 
b  —¥  P 

p  \\  Q 
phq 


t 

Stop  >  Skip 

a  :  {6}  — *  P(o)  where  P(b)  —  P 
b  — ►  Wait  t  ;  P 
P  sIIe  Q 

n.e{J  2}  P,  where  P,  =  P  and  P2  =  Q 


When  modelling  timed  processes,  we  must  take  care  to  ensure  that  recursive 
calls  are  time  guarded,  so  that  a  minimum  delay  must  elapse  between  successive 
recursive  calls.  This  is  achieved  by  ensuring  that  every  instance  of  the  process 
variable  of  a  recursive  term  should  appear  in  the  right-hand  argument  of  a  non¬ 
zero  timeout.  A  set  of  rules  for  determining  when  a  term  is  time  guarded  is 
detailed  in  [DaS92a]. 
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Notation 

The  set  E  is  the  set  of  visible  events.  Variables  a,  6,  c  are  taken  to  range  over 
E.  The  variables  t  and  u  range  over  R+,  the  set  of  non-negative  real  numbers. 
Variable  tr  ranges  over  E* ,  finite  sequences  of  events  from  E;  u  ranges  over  E1, 
infinite  sequences  of  events  from  E;  X  C  E  denotes  a  set  of  events;  s  ranges  over 
(R+  x  E)",  the  (finite  and  infinite)  sequences  of  timed  visible  events;  we  use 
N  C  R+  x  E  to  represent  a  timed  refusal,  a  set  of  timed  visible  events. 

We  use  the  following  operations  on  (untimed  and  timed)  sequences  of  events: 
#10  is  the  length  of  the  sequence  w;  denotes  the  concatenation  of  wl 

and  v>£.  The  notation  Wj  X  u)2  means  that  w i  is  a  subsequence  of  w^- 
The  following  projections  are  defined  on  untimed  sequences  by  list  comprehen¬ 
sion: 

tr  \  A  =  (a  |  a  <—  tr,  a  £  A) 

tr  \  A  =  (a  |  a  «—  tr,  a  (£  A) 

tr  c  =  (x  (  a  <—  tr,  a  =  c.x) 
cr(tr)  =  {a  \  tr  \  {a}  #  ()} 

For  timed  sequences,  we  define  the  beginning  and  end  of  a  sequence  in  the 
following  way:  begin(((t ,  n))'~' s)  =  t,  end(s'~'((t,n))  =  t ,  and  for  convenience 
begin(Q)  =  oo  and  end(Q)  =  0.  The  following  projections  on  timed  sequences 
are  defined  by  list  comprehension: 

s  <  t  =  ((a,  a)  j  (u,  a)  <—  s,u  <  t) 

s<t  =  ((«,  a)  |  (a,  a)  <-  s,  a  <  t) 

=  ((«,  a)  |  (u,  a)  «—  s,  u  =  t) 

s  f  A  =  ((«,  a)  |  (u,  a)  <-  s,  a  £  A) 

s\A  =  ((«,  a)  |  («,  a)  4-  s,  a  $  ,4) 

s  —  t  =  ((«  —  t,  a)  |  (a,  a)  <—  s,  u  >  t) 

strip (s)  =  (a  |  (u,  a)  <-  s) 

<r(s)  =  (a  |  s  T  {a}  #  ()} 

We  also  define  a  number  of  projections  on  timed  refusal  sets: 

<  =  {(a,  a)  |  (a,  a)  £  H,  a  <  t} 

N  >  t  =  {(«,  a)  |  («,  a)  £  K,  u  >  <} 

N  \  A  -  {(u,  o)  |  (u,  a)  £  K,  a  £  A} 

K—t  =  {(u  —  t,  a)  |  («,  a)  £  N,  u  >  <} 

<r(M)  =  {a|(u,a)€K} 

end(N)  =  sup{u  j  (a,  a)  £  K} 

We  will  use  (s,N)  -  t  as  an  abbreviation  for  (s  -  t,K  -  t),  and  end(s,  K)  for 
max{end(s),  end(K)}. 
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Semantic  models 

The  hierarchy  of  models  presented  in  [Ree88]  supports  reasoning  at  a  number 
of  levels  of  abstraction,  allowing  aspects  of  behaviour  dependent  upon  refusal 
information,  stability  information,  or  timing  information  to  be  included  as  re¬ 
quired.  In  addition  to  Reed’s  hierarchy  of  models,  we  have  the  infinite  timed 
model  Mti,  presented  in  [Sch92]  and  [MRS92];  and  the  untimed  infinite  traces 
model  Mui  of  [Ros88],  which  is  an  extension  of  the  failures-divergences  model 
of  [BrR85].  In  this  paper  we  will  focus  on  the  three  models  which  yield  the  most 
general  results  concerning  refinement:  the  untimed  traces  model  Mut ,  and  the 
two  infinite  models.  These  three  models  are  presented  in  full,  together  with  their 
corresponding  semantic  functions,  in  Appendix  A. 


M  TI  M  TFS 


A4  tt 


Figure  1:  Reed’s  hierarchy  and  additional  models 
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The  untimed  traces  model 

Observations  in  the  model  M  ut  are  simply  finite  sequences  of  events,  or  traces. 
A  trace  of  a  system  is  a  record  of  the  events  performed  during  some  (partial) 
execution  of  the  system.  Thus  the  observation  set  Out  is  defined  to  be  E*, 
where  E  is  the  universal  set  of  events. 

The  model  Mut  is  the  set  of  nonempty  prefix  closed  subsets  S  of  Out 

The  untimed  infinite  traces  model 

This  model  is  first  described  in  [Ros88].  In  other  presentations,  processes  consist 
of  three  components,  modelling  the  three  kinds  of  observation  that  may  be  made, 
a  failure  set  F  C  E*  x  P(E);  a  divergence  set  DC  E";  and  an  infinite  traces 
set  /  C  T,w .  A  divergence  tr  is  a  sequence  of  events  such  that  after  some  prefix 
of  tr  the  system  may  perform  an  infinite  sequence  of  internal  actions.  A  failure 
(tr,  X)  is  an  observation  of  a  system  if  either  the  sequence  of  external  events  tr 
may  be  observed  during  an  execution,  after  which  no  further  internal  progress 
may  be  made  and  the  process  refuses  to  engage  in  any  event  from  the  set  X ; 
or  else  tr  is  a  divergent  trace.  An  infinite  trace  u  is  an  infinite  sequence  of 
actions  such  that  either  the  system  may  perform  the  whole  trace  during  a  single 
execution,  or  else  some  prefix  of  it  is  a  divergent  trace. 

For  the  sake  of  uniformity  within  this  presentation,  we  consider  a  process  to 
consist  of  a  single  set  S  of  pairs,  where  the  first  component  is  a  label  from  the 
set  {/,</,*},  and  the  second  component  is  a  behaviour  from  the  corresponding 
behaviour  set.  Thus  5  is  a  subset  of 

{/}  x  (E*  x  P(E))  U  {d}  x  E*  U  {»}  x  Ew 

The  timed  infinite  traces  model 

In  this  model,  the  times  at  which  events  are  performed  and  refused  are  recorded. 
This  model  assumes  that  systems  are  finitely  variable:  an  infinite  sequence  of 
internal  and  external  actions  may  not  be  performed  in  a  finite  time.  Thus  the 
only  infinite  traces  that  may  be  observed  must  take  infinitely  long  to  occur.  Fur¬ 
thermore,  since  a  change  in  the  set  of  events  made  available  to  the  environment 
is  considered  to  correspond  to  an  internal  action,  this  model  needs  to  consider 
only  those  refusal  sets  which  contain  finitely  many  changes  in  any  finite  interval. 
The  set  of  traces  T E<  and  refusal  sets  IRSET  are  adequate  for  capturing  all 
possible  observations  of  finitely  variable  systems: 

TE%  =  {s  €  (R+  x  E)“  |  ((t1,a1),(t2,ci2))  <  s  ^  tj  <  ts 

A  #s  —  oo  =>  end(s)  =  cc} 

RTOK  =  {[6,  e)xA|0<6<e<ooAACE} 

RSET  =  {(J  R  |  R  C  RTOK  A  R  is  finite} 

IRSET  =  {(J  R  I  R  C  RTOK  A  V  <  •  ((J  R)  4  t  6  RSET } 
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Behaviours  consist  of  (trace, refusal)  pairs.  In  contrast  to  the  untimed  case, 
the  refusal  is  observed  during  the  occurrence  of  the  trace,  rather  than  simply 
afterwards. 

For  example,  the  behaviour  (((5,  a),  ( 3 ,  d),  (8,  b)),  [ 0 ,  20)  x  {c})  is  a  record  in¬ 
dicating  that  the  process  was  observed  to  refuse  event  c  beginning  at  time  0 , 
that  while  it  was  continuing  to  do  so,  it  performed  event  a  and  then  d  at  time 
3,  and  then  event  6  at  time  8.  Finally,  the  observer  stopped  watching  c  being 
refused  at  time  20. 

As  usual,  a  process  consists  of  the  set  of  possible  behaviours  that  may  be  observed 
of  it.  The  model  is  presented  in  full  in  [Sch92,  MRS92], 

Example 

Define  the  program  AB  as  follows: 

AB  =  p  X  o  (a  —^4  X  C>  6  — >  Stop) 

Then  Tut\.AB]  contains  both  the  traces  (a)  and  (a,  a,  6),  but  not  trace  (6,  a). 
The  untimed  infinite  semantics  Tui\.AB\  contains  failures  (/,  ((a,  a),  {a}))  and 
(/,  ((a,  6),  {6,  c})),  but  not  (/,  (a),  {&})  or  (/,  (6,  a),  {});  it  contains  the  infinite 
trace  (i,  (a,  a,  a, . . .));  and  it  contains  no  divergences. 

The  timed  behaviours  Tri\AB\  include  ((( 2 ,  a),  (9,  a)),  [0,  6)  x  {!>}):  the  pro¬ 
cess  may  perform  event  a  at  time  2 ,  and  again  at  time  9 ,  while  refusing  to  per¬ 
form  b  between  times  0  and  6.  The  behaviour  ((),  [ 0 ,  5)  x  {b}  U  [5,  oo)  x  {a})  is 
also  possible:  if  no  external  events  are  performed,  then  b  will  be  refused  for  the 
first  5  units  of  time,  after  which  the  timeout  will  occur,  and  a  will  be  refused 
thereafter.  Neither  (((2,  a)),  [0, 1 )  x  {a})  nor  (Q,[0,10)  x  {b})  are  possible 
timed  behaviours  of  TuilAB], 

3  Timed  refinement 

3.1  Trace  refinement 

We  consider  an  untimed  trace  to  be  an  abstract  description  of  a  timed  failure 
if  the  trace  corresponds  to  the  sequence  of  events  in  the  timed  trace.  We  thus 
define  the  refinement  relation  between  untimed  traces  Out  and  timed  failures 
Oti  as  follows: 


tr  utHti  (u,N)  O  tr  =  strip(u) 

For  a  timed  trace  s,  the  sequence  strip(s)  is  the  trace  s  with  the  times  removed 
from  the  events. 

Theorem  3.1  This  refinement  relation  is  complete  □ 
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Proof  By  Lemma  1.4  it  is  enough  to  show  that  P  =  utP-ti~1  {Q)  is  a  well- 
defined  process  for  any  timed  process  Q.  But  utP-ti ~ 1  (Q)  =  { strip  (s)  | 
(s,  H)  €  Q},  and  this  set  is  clearly  non-empty  (since  Q  is)  and  prefix  closed 
(since  Q  is),  and  hence  it  is  a  well-defined  process,  meeting  the  definition  in 
Appendix  A.  □ 

It  turns  out  that  all  of  the  CSP  operators  preserve  this  refinement  relation: 

Theorem  3.2  Given  any  CSP  operator  ©,  and  two  vectors  of  processes  of  length 
arity{®),  PCut71t[  Q, 

®(Z)  Qut-r.ti  ®(Q) 


Proof  By  an  analysis  of  the  timed  and  untimed  semantics  (given  in  Appendix  A) 
of  each  CSP  operator  in  turn.  □ 

Corollary  3.3  For  any  program  P,  P  QUTnTI  P  □ 


P 


The  payoff  from  this  result  is  that  any  trace  specification  may  be  verified  of  a 
CSP  program  in  the  untimed  traces  model,  and  it  follows  immediately  that  its 
translation  into  the  timed  model  will  hold  for  the  same  program  on  its  more 
complicated  semantics.  Also  Skip  Outktj  Wait  t  for  any  set  of  times 

I,  so  arbitrary  delays  can  be  introduced  into  programs  while  still  preserving 
refinement,  since  if  P  QUTnTI  Q,  then  it  follows  that  Skip  ;  P  =  P  Et,TTCT/ 
n  Wait  t  ;  Q.  Thus  an  untimed  verification  can  be  carried  out  and  delays 
inserted  subsequently. 

The  translation  of  a  specification  5  on  traces,  (with  free  variable  tr)  will  be 
V  tr  €  £*  •  (tr  ut'R-ti  ($i  N)  5) 

If  5  is  admissible  (i.e.  (V  tr  <  u  •  5)  =►  S'fu/t?])  then  this  is  equivalent  on 
processes  to  the  specification  S[strtp(s)/fr],  Thus  admissible  specifications  may 
be  translated  to  timed  specifications  by  a  simple  substitution  of  the  free  vari¬ 
able.  Since  most  safety  specifications  are  admissible,  this  does  not  amount  to  a 
practical  limitation. 


As  an  example,  consider  the  safety  requirement  that  b  should  always  be  the  last 
event  performed.  This  is  given  by 

S  =  V  tro ,  trj  •  ( tr  =  tr0'~'(b)'~'tr1)  =>  trt  =  () 

A  verification  in  the  traces  model  that  program  AB  satisfies  this  specification 
would  be  quite  straightforward.  We  may  translate  this  verification  to  the  timed 
model,  and  conclude  that  AB  sat  S[strtp(s)/<r]  in  that  model.  This  may  then 
be  used  in  a  timed  verification.  For  example,  consider  the  timed  specification 
that  event  a  should  never  be  performed  within  8  time  units  of  any  b: 

(t,6)ins  =>  a  £  <r(s  t  (*  —  #.  t  +  #)) 

This  specification  reads  as  follows:  if  (f ,  6)  is  recorded  in  the  trace  s,  then  a  does 
not  appear  in  the  set  of  events  recorded  in  s  during  the  interval  (t  —  8,  t  +  8). 
Then  the  untimed  specification  tells  us  that  a  cannot  occur  after  b,  i.e.  in  the 
interval  (t,  t+8),  so  the  only  cases  to  consider  in  the  timed  model  are  a  occurring 
before  b,  or  at  the  same  time,  i.e.  the  interval  {t  —  8,  t].  For  this  case,  a  timed 
analysis  on  AB  is  required. 

In  general,  5  is  translated  to  (#s  <  oo  =>  S[stnp(s)/ tr]). 

3.2  Failures  Refinement 

We  may  think  of  a  process  refusing  a  particular  set,  in  the  untimed  sense,  if 
it  eventually  reaches  a  state  after  which  no  event  from  that  set  is  possible.  In 
the  timed  world,  this  corresponds  to  the  information  that  there  is  some  time 
after  which  the  set  may  be  continuously  refused.  Thus  for  a  timed  behaviour 
(u,  K)  with  finite  timed  trace  u,  an  abstract  view  of  this  behaviour  would  be  an 
untimed  version  strip(u)  of  the  trace,  and  for  any  set  A’,  if  there  is  some  t  for 
which  [t.oo)  x  A  is  contained  in  R,  then  N  is  evidence  that  X  may  eventually 
be  refused  forever. 

Relating  timed  infinite  traces  to  untimed  ones,  we  obtain  the  following  refinement 
relation  between  Ojji  and  Oti  - 

(/,  (tr,  X))  uiRti  (u,R)  <=>  tr  =  strip(u)  A  3t  •  [t,oo)  x  X  C  N 

(*,tr0)  viHti  («>R)  tr0  =  strip(u) 

Observe  that  there  is  no  timed  version  of  divergence  in  this  model. 

Theorem  3.4  This  refinement  relation  is  complete.  □ 

Proof  We  need  to  show  that  P  =ui'R-ti~I  (Q)  is  a  well-defined  process  for 
any  timed  process  Q  (i.e.  meets  axioms  1-8  given  in  Appendix  A). 

It  follows  from  axiom  1  for  Mti  that  1  (Q)  =  P  meets  axiom  1  for 

Mui-  Axiom  2  for  Mti  yields  axioms  2  and  6  for  P\  Axiom  3  yields  axiom  3; 
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and  axioms  4,5  and  7  are  trivial  for  P  since  P  has  no  behaviours  of  the  form 

(d,tr). 

We  have  only  to  establish  axiom  8.  Consider  a  behaviour  (/,  (s,  {}))  E  P.  Then 
there  must  be  some  timed  trace  so  such  that  (so,  {})  €  Q  and  strip(s0)  =  s.  Now 
by  axiom  4  for  Mti  there  must  be  some  process  R  E  CC  such  that  (sq,  {})  E  R 
and  Q  C  R. 

Let  c  :  P(R)  -»•  R  be  a  choice  function.  Then  define: 

To  =  {so} 

Tn+i  =  {s~((ta,  a))  |  s  E  Tn  A  a  E  E 

{t\{s~{(t,a)),{))eR)t{} 
ta  =  c({<  |  a)),  {})  E  R})} 


T  =  U€N  T* 

Since  R  is  finitely  variable  and  closed,  any  infinite  trace  in  T  comes  from  a 
legitimate  infinite  trace  in  R.  And  since  R  meets  axiom  3  for  Mti,  the  set  of 
all  events  that  do  not  extend  a  given  finite  trace  in  T  must  be  refusible  for  all 
time  after  the  corresponding  timed  trace  in  R,  since  there  is  no  time  after  that 
timed  trace  at  which  any  of  those  events  is  possible.  It  follows  that  T  is  a  set 
of  traces  which  establishes  that  axiom  8  holds  for  P.  □ 

A  study  of  the  CSP  operators  reveals  the  following. 

Theorem  3.5  Every  CSP  operator  except  parallel  composition  preserves  uiR-ti 
refinement  □ 

We  again  obtain  that  Skip  Q(JlnTI  rifg/  Wait  t  for  any  set  of  times  /,  so 
arbitrary  delays  can  be  introduced  into  programs  while  still  preserving  timewise 
failures  refinement. 

Unfortunately,  parallel  composition  does  not  preserve  refinement  in  general.  One 
example  where  it  fails  is  in  the  case  of  two  processes  Qt  and  Qz .  illustrated  in 
Figure  3.2.  They  are  always  willing  to  perform  an  event  at  some  time  in  the 
future,  by  offering  it  periodically  (so  neither  will  eventually  always  refuse  it), 
but  they  are  unable  to  find  any  time  on  which  they  can  synchronise,  so  their 
combination  is  able  to  refuse  the  offer  forever. 

Qj  =  p  X  o  (a  — >  Stop)  >  Wait  3  ;  A' 

Qz  =  Wait  2  ;  Qi 


Each  of  Qi  and  Qz  are  refinements  of  P  —  a  — >  Stop ,  but  Qi  ||  Qz  is  not 
a  refinement  of  P  {{  P,  since  it  may  refuse  a  forever,  as  Qi  and  Qz  can  never 
synchronise  on  a;  yet  P  ||  P  is  unable  initially  to  refuse  a. 

However,  we  do  obtain  the  following  theorem. 
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Q2 


Qi 


Figure  2:  alternating  offers 


Theorem  3.6  Every  CSP  program  P  has  that  P  uiUti  P  d 

This  follows  from  Theorem  4.2  and  Theorem  4.3,  presented  later. 


Parallel  composition  and  refinement 

The  importance  of  the  parallel  operator  moves  us  to  investigate  conditions  under 
which  it  does  preserve  refinement. 


Non- Retraction 

The  example  above  illustrates  one  of  the  ways  in  which  refinement  may  be  lost 
by  parallel  composition:  the  periodic  withdrawal  of  offers.  It  seems  that  one 
way  to  ensure  synchronisation  is  to  maintain  offers  until  they  are  accepted. 

A  process  which  does  not  withdraw  offers  (though  it  may  make  new  ones)  until  it 
next  performs  a  visible  event  is  termed  non-retracting.  This  is  similar  to  (though 
slightly  weaker  than)  the  notion  of  nonpre-emptive  given  in  [C1Z92],  although 
that  definition  is  given  in  operational  terms. 

Definition  3.7  A  process  5  G  M  ti  is  non-retracting  if 

(s,N)gS  =>  (s,NU  {(t,a)  |  3u  •  (u,a)  €  M  A  end(s)  <  t  <  u})  €  S 


□ 

If  an  event  may  be  refused  at  a  time  u,  then  it  must  be  possible  that  it  was 
continuously  refused  since  the  occurrence  of  the  last  visible  event,  at  time  end(s). 
Thus  once  an  event  is  guaranteed  to  have  been  offered,  it  must  be  continually 
offered  thereafter. 

As  expected,  we  obtain  that  parallel  composition  preserves  refinement  for  non- 
retracting  processes: 


Lemma  3.8  If  Pj  Qj  and  Ps  ^U[nT,  Qj  and  Qj  and  Qs  are  both 

non-retracting,  then  (P,  |[  P2)  CwKj,;  (Qt  j|  Qc)  □ 

Proof  This  is  a  special  case  of  Lemma  3.10  below,  with  Aj  =  As  =  E,  and  the 
fact  that  non-retraction  is  stronger  than  eventual  non-retraction  on  E.  □ 
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This  idea  of  non-retraction  may  be  generalised,  so  that  it  is  concerned  only  with 
particular  events  rather  than  all  events,  and  with  the  fact  that  a  time  after  which 
offers  should  be  maintained  is  reached  eventually  rather  than  immediately. 

Definition  3.9  A  process  5  €  Mti  is  eventually  non-retracting  on  A  if  for  any 
trace  s  there  is  some  time  t(s,  5)  such  that 

(s,N)€S  =>  (s,N  U  {(t,  a)  |  a  G  A  A  3  u  •  (u,  a)  G  it  A  t(s,  S)  <  t  <  u})  6  S 

□ 

Observe  that  if  S  is  eventually  non- retracting  on  A ,  and  B  C  A,  then  it  is  also 
eventually  non-retracting  on  B. 

This  form  of  eventual  non-retraction  allows  a  period  of  unstable  behaviour  be¬ 
fore  settling  down.  This  permits  some  timeout  behaviour  disallowed  by  a  non- 

.  ,  3 

retraction  requirement.  For  example,  a  — ►  P  t>  b  — ►  Q  is  eventually  non¬ 
retracting  (if  P  and  Q  are)  although  the  offer  of  a  will  be  retracted  at  time 
3. 

Lemma  3.8  may  be  generalised  to  interface  parallel,  by  considering  processes 
that  are  non-retracting  on  their  common  interface. 

Lemma  3.10  If  Pt  QUfKTI  Q1  and  P2  C[|j1!tj  Qz,  and  Qs  and  Q2  are  both 
eventually  non-retracting  on  A i  HA2,  then 

(p*  a,Wa2  ( Qi  aJIas  Qz) 

a 

Proof  If  (i,  u)  ui'fbTi  (s,N)  and  (s,K)  G  PtjIQi  AjWao  Qs 1>  then  it  follows 
immediately  that  (i,  u  f  Aj)  £  Tut{Pi  1  A  (».  u  f  A2)  G  TurlPe],  and  hence 
that  («,  «)  €  Fui[Pi  Al  I \a2  pzl 

Consider  a  behaviour  (s,  N)  G  ?ti\Qi  AjWao  @2],  witdi  (/,(tr,  A'))  vi'P-ti 
(s,N).  Then  tr  =  strip(s),  and  3 1  •  [<,00)  x  A'  C  H.  Now  by  the  seman¬ 
tics  of  the  parallel  operator,  there  are  N s  and  Kg  such  that  (s,  K;)  G  PtiIQiI, 
(s, N2)  €  Fti[Qz],  and  N  f  (Aj  U  A2)  =  (Kj  f  A i)U(#2\  A 2).  Define 

Xi  =  {a  G  Ax  |  V  t  •  a  G  cr(Nj  >  <} 

X2  =  {o  G  A2  j  Vf  •  0  G  <r(Hg  f} 

Then  Xi  U  X2  =  X  f  (Aj  U  A2).  Furthermore,  by  the  eventual  non-retraction 

of  Qi  and  Q2 ,  it  follows  that  there  are  1 1  and  to  such  that 

(s  f  A|,Kj  U  [#i,oo)  x  Xj))  G  Pti\Qi\ 

(s  (  A2,  tt2  U  [t2, 00)  x  A2))  G  PtAQz] 

Since  each  Pi  is  refined  by  the  corresponding  Q,,  it  follows  that 

(/,  (stnp(s)  T  A},Xj))  G  ?vi\P}\ 

(/,  (strip(s)  f  As,Xg))€rVi[Ps] 


r 
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and  so  (/,  (strip(s),  Xt  U  X2))  €  FuilPi  a,\\a2  ^2]  ^y  fhe  semantics  °f  the 
parallel  operator.  Hence  the  parallel  operator  preserves  refinement  for  eventually 
non- retracting  processes.  □ 

However,  if  only  one  of  the  processes  is  non-retracting,  then  the  refinement  need 
not  be  preserved  through  a  parallel  combination.  For  example,  consider  the 
following  processes,  illustrated  in  Figure  3.2. 

=  Wait  2  \  pX  o  (0  — »  Stop  □  Watt  1  ;  succ(A’)) 

=  pX  o  (n  :  N  — >  Stop)  t>  succ(A’) 


Qi 


Qz 


Figure  3:  non-synchronising  offers 

The  process  Qj  makes  natural  numbers  available,  one  at  a  time.  It  is  non- 
retracting,  and  it  is  also  a  refinement  of  P2  =  n  :  N  — ►  Stop ;  on  the  empty 
trace,  nothing  may  be  refused  forever.  The  process  Qo  begins  with  all  natural 
>  numbers  available,  and  retracts  them  one  at  a  time.  It  is  a  refinement  of 

Pz  =  nFg/inN  n  :  (N  \  F)  — >  Stop 

for  which  all  events  are  possible,  and  any  finite  set  of  events  may  eventually  be 
1  refused  forever.  The  parallel  combination  Qi  ||  Qo  is  equivalent  to  Stop ,  since 

there  is  no  event  that  Qi  and  Qs  may  cooperate  on:  Qi  is  prepared  to  perform 
event  m  from  time  m  +  2  onwards,  but  Qo  is  not  prepared  to  perform  it  beyond 
time  m  +  1 .  On  the  other  hand,  Pi  ||  P2  is  equivalent  to  P2,  which  is  unable 
to  deadlock  before  any  events  have  been  performed.  Hence  Qi  ||  Qo  is  not  a 
refinement  of  Pi  ||  P2 ,  even  though  Qi  is  non-retracting. 

Promptness 

The  above  example  highlights  other  ways  in  which  parallel  combination  can  fail 
to  preserve  refinement.  If  Qi  had  made  all  of  its  offers  by  some  time  t,  then  the 
counterexample  would  not  work,  since  the  non-retraction  of  Qi  ensure  that  all 
of  the  offers,  made  by  time  t,  must  remain  on  offer  until  acceptance  occurs. 
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We  define  a  process  to  be  t-prompt  if  it  must  make  its  offers  by  time  t:  if  a  set 
may  be  refused  up  to  time  t,  then  it  may  be  refused  forever. 

Definition  3.11  A  process  S  G  Mti  is  t-prompt  if 

(s,  N)  G  S  A  [u,  u  +  t)  x  A  C  ft  A  u  >  end(s)  (s,  ft  U  [u,  oo)  x  A)  G  S 


a 

We  then  obtain  the  following  alternative  result,  which  places  no  constraints  upon 
Qz- 


Lemma  3.12  If  Pj  Ey/wT/  Qi  and  Ps  QliitiT[  Qz,  Qi  is  non-retracting  and 
f-prompt  for  some  t,  then  (Pj  j|  Pe)  Cy/7JT/  (Qt  ||  Qo)  a 

Proof  This  is  a  special  case  of  Lemma  3.14  below.  □ 

Promptness  may  be  generalised  to  apply  only  to  a  particular  set  of  events  A. 

Definition  3.13  A  process  5  €  Mti  is  t-prompt  on  A  if 

(s,  It)  €  S  A  B  C  A  A  [u,  u  +  /)  x  B  C  ft  A  it  >  end(s) 

(s,  ft  U  [«,  oo)  x  B)  G  S 


□ 

Then  the  condition  for  parallelism  to  preserve  refinement  may  be  correspond¬ 
ingly  generalised:  if  the  interface  between  two  processes  may  be  split  into  two 
parts,  and  each  process  is  prompt  and  non-retracting  on  a  different  part  ,  then 
refinement  will  be  preserved  by  parallel  composition. 

Lemma  3.14  If  Pi  Qi,  Pz  Qz,  5/  U  Bj  =  Ai  fl  A2,  Qi 

is  eventually  non-retracting  on  Bj  and  prompt  on  Bt ,  and  Qo  is  eventually 
non-retracting  on  B2  and  prompt  on  then 

(Pj  Aj\\as  Pz)  QujKti  (Qi  AjWa2  Qz) 

□ 

Proof  It  is  clear  that  infinite  traces  of  the  t  imed  process  will  appear  in  untimed 
form  in  the  untimed  process.  So  we  need  only  show  that 

(f,(tr,X))  uiUti  (-s,  N)  A  (s,  N)  G  TtiIQi  Aj  \\Aa  Qz} 

=>  (/,(<r,A'))€  TuilPi  Al\\As  Pz\ 

Assume  the  antecedent,  and  consider  (s,N)  6  Pti{Qi  A]\\As  Qz},  built  from 
behaviours  (s  f  Aj,tfj)  6  Pti\Qi\  and  ( s  f  A2,ff2)  G  PtiIQz],  where  we 


have  (Ni  f  Xj)U(N2  f  A2)  =  N  f  (At  U/I2).  We  have  by  the  relation  uiTZ-ti 
that  tr  =  strip(s),  and  also  t  >  end(s)  4-  max{t(s  f  At,Q1),t(s  \  A2,Q2)}for 
some  t ,  such  that  [t,oo)  x  X  C  H.  Now  Qt  is  -prompt  for  some  tt ,  and  Q2  is 
<2-prompt  for  some  <2 .  Define 

Xj  =  \  (XHAjOB,))  t>  (</+<)) 

Y i  =  {a  6  <Y  0  ^  /  D  B2  |  [(2  +  t,  00)  x  {a}  C  Nj} 

x2  =  <r((K2f  (xn>i2nfl2))  t>(f2  +  0) 

Y2  =  {a  e  X  nA2n  Bj  [  [t  j  +  t ,  00)  X  {a}  C  K2} 

Then  Xi  U  Yi  U  X2  U  Y2  =  X  fl  (Ai  U  >42)-  Now  since  Qj  is  eventually  non¬ 
retracting  on  B} ,  it  follows  (also  using  subset  closure  of  refusals  for  Q, )  that 

(s  f  Ai,#i  U  [t,  t  +  <i)  x  Xj)  £  Pti\Qi\ 

And  hence  it  follows  by  promptness  that 

(s  \  Aj,Nj  U  [t,oo)  x  Xj)  £  Tti{Qi\ 

Also,  observe  that  [t2  4-  f,oo)  x  Yj  C  'R1.  Since  Q,  is  a  refinement  of  Pj 
it  follows  that  (/,  (tr  \  Aj,Xj  U  Yj))  6  Tui[Pt\-  Similarly  we  obtain  that 
(f,(tr  f  A2,X2  U  Y2))  £  !P ui 2 J-  Thus  from  the  semantics  of  parallel,  we 
obtain  that  (/,  ( tr,X ))  £  Tui\Pi  \\as  ^2],  yielding  the  result.  □ 

This  result  is  particularly  useful,  as  it  applies  immediately  to  systems  such  as 
those  described  in  terms  of  input/output  automata  [LyV92]  where  input  is  al¬ 
ways  possible,  and  so  components  are  always  non-retracting  and  prompt  on 
input.  In  these  systems,  parallel  composition  connects  outputs  from  one  process 
to  corresponding  inputs  of  the  other.  Thus  the  interface  in  a  parallel  composi¬ 
tion  may  be  partitioned  into  those  events  input  by  one  component,  and  those 
input  by  the  other.  The  two  processes  will  be  prompt  and  non-retracting  on 
these  two  sets  respectively. 

This  result  may  also  be  applied  to  CSP  descriptions  of  occam  programs,  since 
in  such  programs  output  guards  are  not  permitted.  Once  a  process  is  prepared 
to  perform  an  output,  it  remains  ready  to  perform  it  until  it  occurs.  Conse¬ 
quently,  processes  are  always  non-retracting  on  output  ,  so  parallel  composition 
will  preserve  refinement  for  prompt  components. 

Compactness 

The  final  condition  we  will  present  here  concerns  the  nature  of  the  untimed 
processes  Pj  and  P2 .  A  process  is  compact  if  its  refusals  are  determined  (in  a 
particular  way)  by  the  finite  refusal  sets.  If  the  untimed  processes  are  compact, 
then  it  turns  out  that  only  one  of  the  timed  processes  need  be  non-retracting  for 


refinement  to  be  preserved  by  the  parallel  operator.  In  the  example  above,  P2 
fails  this  condition;  any  finite  subset  of  N  may  be  refused,  but  infinite  subsets 
may  not. 

Definition  3.15  A  process  P  in  Mui  is  compact  if  for  any  tr  £  £’,  Y  C  E  we 
have 

(VAC  fi"  Y  •(f,(tr,X))£P)  =>  (. f,(tr,Y))eP 

□ 

Lemma  3.16  IfPj  CwsT(  QJt  P2  QVIn  Tl  Q2 ,  Qi  is  eventually  non-retracting 
on  At  DA2,  and  Pt,P2  are  compact,  then 

(Pi  At\\At  P2)^Vl*TI  (Qi  At\\At  Q*) 

□ 

Proof  It  is  clear  that  infinite  traces  of  the  timed  process  will  appear  in  the 
untimed  process.  So  we  need  only  show  that 

(f,(tr,X))u,KTi(s,K)A(s,K)€PTilQ,  A,\\Af  Qs\ 

=>  (f,(tr,X))€FudPi  Aj\\At  Pz\ 

Consider  (s,N)  6  Tti\Qi  a}  \\a2  Q*  1>  fr°m  behaviours  (s,Kj )  e 

and  (s,N2)  e  Pti[Q2\ .  where  Ni  f  Aj  UK2  \  A2  =  K  f  (At  U  Ao).  We 
have  by  the  relation  uiP-ti  that  tr  =  strip(s),  and  also  that  there  is  some 
t  >  end(s)  +  t(s  f  At,Qt)  such  that  [£,00)  x  A'  C  H.  Define 

Xt  =  {a€  AflAj  (Va»a€ff(K)  >  ti ) } 

X2  =  {a  €  X  n  A2  I  3  u  •  [u,oo)  x  {a}  C  N2} 

Since  #t  f  At  U  N2  f  A2  =  N  f  (At  U  A2),  we  have  that  Aj  U  A'2  =  A'.  Since 
Qt  is  eventually  non-retracting,  we  obtain  that  (s,  Kj  U  [< ,  00)  x  A '  1)  6  PtiIQi  J- 
Since  Pi  is  refined  by  Qt,  we  have  that  (tr,  X, )  e  Tui\Pt J- 

Now  consider  a  finite  set  {aj,a2...an}  =  Y  C  X2.  For  each  a,  there  is  a 
corresponding  time  ti  such  that  [£,,00)  x  {a,}  C  H2.  Thus  there  is  a  time 
t0  =  max{ti }  such  that  [£0,00)  x  Y  C  K2.  Since  P2  is  refined  by  Q2,  it 
follows  that  (/,  (tr,  Y))  €  Pui\P2\-  This  is  true  for  all  finite  subsets  V'  of 
A2,  so  by  compactness  of  P2  we  have  that  (/ ,(£r,  X2))  €  Tui\Pz\-  Hence 
(/,  (tr,  X))  €  Pui\Pt  Aj  I \a2  ps 1  35  required.  □ 

Compactness  is  often  easy  to  check,  since  it  will  be  present,  in  any  process  not 
containing  infinite  non-determinism.  Thus  any  program  not  containing  any  in¬ 
finite  choice  will  automatically  be  compact. 


Specification 


In  the  untimed  infinite  traces  model  specifications  may  be  considered  as  con¬ 
sisting  of  three  components,  dealing  with  the  failures,  divergences  and  infinite 
traces.  In  other  words,  for  any  given  S(/,  6)  there  are  Sj ,  Sd  and  5,  such  that 

S(l,  b)  O  (/  =  •/'  A  b  =  (fr,  X))  =>  Sj(tr,X) 

A  (/  =  'd'  A  b  =  tr)  =>  Sd(tr) 

A  (/  =  li'  A  b  —  u)  =>  S,(u) 

Then  a  specification  (5/,  Sd,  St)  translates  to  the  timed  specification 

#u  <  oo  A  [f,  oc)  S/(strtp(u ),  X) 

A  #u  =  oo  ■=>  Si(strip(u)) 

For  example,  the  specification  ‘deadlock-free’  constrains  only  the  possible  failure 
set,  with  Sf(tr,  X)  X  ^  E.  The  translation  is  equivalent  to 

#u  <  oo  =>  -i  3 1  •  [f,  oo)  X  E  C  K 

which  is  the  timed  version  of  deadlock-freedom.  Thus  an  untimed  verification  of 
deadlock-freedom  for  a  system  remains  valid  under  timewise  refinement. 

The  untimed  specification  of  a  buffer  may  be  given  simply  as  a  predicate  Sj . 

Sf(tr,X)  tr  4  out  <  tr  |  in 

A  tr  |  out  =  tr  J.  in  =>  X  n  in  =  {} 

A  tr  4-  out  <  tr  j  in  out  A' 

where  tr  4-  c  is  the  sequence  of  messages  recorded  in  tr  on  channel  c. 

The  translation  is  equivalent  to  the  following  timed  specification: 

strip(u)  4-  out  <  strip(u)  4-  in 

A  strtp(u)  4-  out  =  strip(u)  l  in  =>  ->3t,m  •  [<,oo)  x  {in.in}  C  N 
A  strip(u)  4-  out  <  strip(u)  4-  in  =>  ->3  t  •  [f,oo)  x  out  C  K 

which  is  the  specification  of  a  timed  buffer. 

As  an  example  of  an  application  of  the  theory,  consider  Roscoe’s  first  (untimed) 
buffer  law  presented  in  [Hoa85],  which  tells  us  that  the  chaining  together  of  two 
buffers  is  again  a  buffer.  The  chaining  operator  is  defined  in  terms  of  parallel, 
hiding,  and  renaming  (where  swapa  b  renames  channel  a  to  b  and  vice  versa): 

pi>  pz  =  {swap0UttC(p1)  {jniC}||{ou(,c}  sivap,n,c(P2))  \  c 

However,  this  law  does  not  hold  in  general  in  the  timed  model.  As  we  have  seen, 
Bj  and  Bz  might  fail  to  agree  on  a  time  to  synchronise  on  their  common  internal 
channel,  resulting  in  their  combination  refusing  ever  to  output. 
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In  order  to  establish  conditions  under  which  the  law  does  hold,  we  will  make  use 
of  the  fact  that  untimed  buffers  are  compact  (since  if  some  input  can  be  refused, 
then  so  too  can  all  possible  inputs),  and  also  of  the  fact  that  the  refinement 
relations  in  this  paper  are  complete,  which  yields  that  every  timed  buffer  is  a 
refinement  of  some  untimed  buffer.  We  may  then  obt  ain  conditions  under  which 
a  chain  of  buffers  again  yields  a  buffer. 

For  example,  if  every  buffer  B,  is  eventually  non-retracting  on  input,  then  the 
chain  Bj  B2  •  -  -  3>  Bn  is  igain  a  buffer,  eventually  non-retracting  on 
input.  This  follows  from  the  fact  that  each  B,  is  a  refinement  of  some  buffer 
Ai]  that  we  have  a  condition  which  may  be  applied  at  every  step  of  building 
up  the  chain  to  ensure  that  the  timed  chain  refined  the  untimed  chain  (in  the 
general  parallel  case,  we  require  only  non-retraction  on  the  interface);  and  that 
the  chain  Aj  As  3>  . . .  A„  is  an  untimed  buffer  (from  Roscoe’s  law), 
from  which  it  follows  that  any  refinement  of  it  is  a  timed  buffer.  A  similar  result 
holds  if  each  B ,  is  non-retracting  on  output;  or  if  odd  (or  even)  numbered  buffers 
are  non-retracting  on  both  input  and  output.  It  follows  that  the  combination 
Bj  COPY  B2  ■  ■  ■  COPY  Bn  is  a  buffer,  for  any  timed  buffers  Bx. 


4  An  operational  view 

An  alternative  semantic  approach  that  is  often  employed  in  the  theory  of  process 
algebra  is  operational:  processes  are  defined  in  terms  of  transitions  that  they 
may  perform  and  subsequent  states  that  may  be  reached.  Within  this  frame¬ 
work,  equivalence  between  processes  may  be  characterised  in  terms  of  bisimula¬ 
tion  relations  [Mil89],  or  by  means  of  equivalence  under  some  notion  of  testing 
[Hen88], 

In  the  testing  approach,  a  test  is  defined  to  be  a  process  T  which  also  has  the 
capacity  to  perform  a  special  success  event  ui,  which  is  considered  to  be  distinct 
from  the  set  of  synchronisation  events  E.  An  execution  of  a  process  P  is  a 
maximal  (finite  or  infinite)  sequence  of  transitions  starting  from  P .  Then  we 
say  that  P  may  T  if  there  is  some  execution  of  (P  ||  T)  \  E  which  passes 
through  a  state  from  which  oj  is  a  possible  transition;  and  P  must  T  if  every 
execution  of  (P  ||  T)  \  E  passes  through  such  a  state.  Then  P  is  equivalent  to 
Q  under  may  testing  if  for  any  test  T,  P  may  T  <£■  Q  may  T ;  and  P  and  Q 
are  equivalent  under  must  testing  if  P  must  T  o  Q  must,  T  for  any  test  T. 

An  operational  semantics  has  been  given  for  CSP  in  [BRW9x]  and  [Ros88].  Tran- 
v  ...  . 

svtions  are  given  as  P  — V  P  ,  indicating  that  a  process  P  may  perform  a  //.  event 
(i.e.  an  internal  or  visible  event)  and  then  behave  as  P' .  In  this  section  we  will 
subscript  the  transition  with  a  u  to  indicate  that  this  is  an  untimed  transition. 
Equivalence  in  the  untimed  traces  model  Mut  is  exactly  the  same  as  equiva¬ 
lence  under  may  testing  using  the  transitions  given  in  [Ros88];  and  equivalence 
in  the  untimed  infinite  traces  model  M.  m  is  exactly  the  same  as  equivalence 
under  must  testing  using  those  transitions.  More  details  may  be  found  in 
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[Hen88,  BRW9x,  Ros88],  The  important  properties  from  our  point  of  view  is 
that  each  trace  of  P  predicted  by  the  traces  model  corresponds  to  an  execution 
of  P  in  which  that  sequence  of  visible  events  is  performed  (as  well  as  possibly 
some  internal  events);  that  any  divergence  corresponds  to  an  execution  in  which 
some  prefix  of  the  divergent  trace  is  performed,  followed  by  an  infinite  sequence 
of  internal  r  steps;  any  failure  ( tr,X )  corresponds  either  to  a  divergence  (i.e. 
an  infinite  sequence  of  r  steps  after  some  prefix  of  the  trace)  or  to  an  execution 
in  which  the  entire  sequence  tr  of  events  is  performed,  and  a  state  is  reached 
from  which  no  internal  progress  can  be  made,  and  from  which  no  event  in  the 
refusal  set  X  is  possible;  and  for  every  infinite  trace  u  there  is  an  execution 
which  either  diverges  after  some  prefix  of  u  or  performs  the  entire  sequence  of 
events  u.  And  conversely,  any  execution  given  by  the  operational  semantics  is 
recorded  appropriately  in  the  denotational  semantics. 

An  operational  semantics  has  also  been  provided  for  timed  CSP  in  [Sch93],  where 

(t.a) 

processes  may  undergo  timed  transitions:  P  - >  P'  indicates  that  the  process 

P  may  perform  event  pi  at  time  t,  and  subsequently  behave  as  P' .  We  will 
subscript  timed  transitions  with  t  to  distinguish  them  from  untimed  transitions. 
Evolutions,  or  time  passing  transitions,  were  also  provided  in  the  operational 
semantics.  Equivalence  in  the  infinite  timed  failures  model  M  ti  is  the  same  as 
equivalence  under  must  testing  using  the  transitions  given  in  [Sch93].  Again, 
timed  failures  (s,P)  are  present  in  the  denotational  semantics  of  a  process  P 
precisely  when  there  is  some  execution  of  P  in  which  events  are  performed  at 
the  times  recorded  in  s,  passing  through  states  in  which  the  events  recorded  in 
the  refusal  set  N  were  not  possible. 

Every  CSP  operator  except  for  timeout  has  an  untimed  operational  semantics. 
We  may  also  describe  untimed  transitions  for  the  timeout  operator.  The  timeout 
may  always  be  resolved  by  its  left-hand  argument  performing  a  visible  action, 
but  any  internal  progress  made  by  that  argument  does  not  resolve  the  timeout  . 

P  \P'  P  \  P’ _ 

P  t>  Q  P'  P  >  Q  T-%  P'  t>  Q 

Furthermore,  the  timeout  may  occur: 

P  t>  Q  — >•„  Q 

Thus  every  timed  CSP  process  has  both  an  untimed  and  a  timed  operational 
semantics.  We  may  then  consider  a  test  T  both  at  the  timed  and  at  the  untimed 
level.  Then  we  will  say  P  may  T  if  some  execution  of  ( P  ||  T)  \  S  in  terms  of 
untimed  — t  transitions  passes  through  a  state  in  which  u>  is  possible;  and  we 
will  use  P  must.,  T,  P  mayf  T  and  P  must,  T  in  a  similar  fashion. 

A  useful  relationship  between  a  timed  process  and  an  untimed  one  is  that  of 
untimed/timed  similarity,  which  essentially  says  that  executions  of  the  timed 
process  can  be  matched  by  executions  of  the  untimed. 


I 


Definition  4.1  Relation  R  is  an  untimed/timed  similarity  if  whenever  R{P,  Q), 
then 

(t,*0  s 

1.  If  Q  - ►  *  Q'  then  there  is  some  P'  such  that  P  — P'  and  R(P' ,  Q') 

2.  If  P  — then  there  is  some  process  P' ,  Q' ,  and  time  t  such  that  P  — >u  P' 
and  Q  — — >t  Q'  and  R(P' ,  Q'). 


We  say  that  P  and  Q  are  untimed/timed  similar  if  there  is  some  untimed/timed 
similarity  that  holds  between  them. 


Theorem  4.2  If  P  and  Q  are  untimed/timed  similar,  then  P  QUTnTI 


Q  and 
□ 


Proof  (sketch)  This  follows  from  the  above-mentioned  equivalence  of  the  de- 
notational  and  operational  semantics  in  both  the  untimed  cases  and  the  timed 
case.  In  the  first  case,  if  there  is  a  timed  trace  s  of  Q,  then  there  is  some  execu¬ 
tion  of  Q  which  gives  rise  to  this  trace.  But  then  by  untimed/timed  similarity, 
every  step  of  this  execution  can  be  matched  by  an  untimed  step,  so  there  is 
an  equivalent  untimed  execution  of  P,  which  corresponds  to  the  trace  stnp(s). 
Since  the  untimed  operational  and  denotational  semantics  are  equivalent,  the 
trace  strip(s)  appears  in  the  trace  set  of  P. 

In  the  case  of  failures  refinement,  similar  reasoning  shows  that  infinite  timed 
traces  will  be  matched  by  infinite  untimed  ones;  and  a  timed  failure  (s,  f< ,  oo)x  A') 
with  finite  trace  s  will  correspond  to  some  execution  of  Q.  After  the  trace  s  has 
been  performed  there  are  two  possibilities.  The  execution  may  contain  an  infinite 
sequence  of  internal  events;  these  can  be  matched  by  P ,  leading  to  a  divergence 
and  the  inclusion  of  (/,  ( strip(s ),  A'))  as  a  failure  of  P.  The  other  possibility  is 
that  a  final  state  is  reached  from  which  no  event  in  A',  or  any  further  internal 
progress,  is  possible  (since  X  is  refused  from  that  point  onwards);  in  this  case 
a  corresponding  untimed  state  in  which  A'  may  be  refused  is  reachable  from  P 
by  means  of  a  corresponding  execution,  and  the  failure  (/ ,  (strtp(s),  A'))  again 
appears  as  a  failure  of  P,  □ 

Theorem  4.3  Every  CSP  process  P  is  untimed/timed  similar  to  itself  □ 

Proof  Let  the  relation  R  hold  between  two  processes  if  they  are  syntactically 
identical  up  to  the  values  of  timeouts.  A  straightforward  structural  induction 
on  the  structure  of  the  untimed  process  shows  that.  R  is  an  untimed/timed 
simulation.  It  follows  that  any  process  P  is  untimed/timed  similar  to  itself. 

□ 

In  the  traces  model,  P  C  Q  is  true  exactly  when  V  T  •  (Q  may  T  ■=>  P  may  T). 
By  analogy,  we  may  characterise  an  operational  version  of  timed  refinement, 
where  if  Q  may  pass  a  timed  test  T,  then  P  may  pass  the  same  T  considered 
as  an  untimed  test. 
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Definition  4.4  P  is  defined  by 

P  £  Q  <=>  V  T  :  Q  may(  T  =>  P  may^  T 


□ 

It  turns  out  that  this  notion  of  refinement  is  the  same  as  the  denotational  version 
of  traces  refinement. 

Theorem  4.5  P  £t<?  P  QUTnTI  Q  D 

Proof  “=>”  Assume  P  %.UTnTI  Q.  Then  there  is  some  trace  s  of  Q  such  that 
strip(s)  is  not  a  trace  of  P.  Let  s  =  ((tt ,  aj), . . . ,  (t„,  a„)).  Then  define  the  test 
Tby 

T  —  Oi  — >•  . . .  — ►  a„  — ►  ui  — >•  Stop 

Since  the  timed  operational  semantics  are  equivalent  to  the  denotational  seman¬ 
tics,  there  is  some  execution  of  Q  giving  rise  to  trace  s,  so  there  is  some  execution 
of  (Q  ||  T)  \  E  which  reaches  a  state  in  which  T  can  perform  ui.  However,  there 
is  no  such  execution  of  (P  ||  T)  \  E,  since  if  there  were  then  this  would  corre¬ 
spond  to  P  performing  the  events  in  strip(s),  which  would  mean  that  stnp(s)  is 
a  trace  of  P,  yielding  a  contradiction.  Thus  Q  may  T  but  ->(P  may  T),  and 

so~'(p^tQ) 

“<=”  Assume  P  QUTv.TI  Q,  and  consider  a  test  T  for  which  Q  may(  T.  Then 

Ut 

there  is  some  execution  of  (Q  ||  T)  \  E  which  leads  to  a  state  in  which  — 
is  possible.  The  contribution  of  Q  to  this  execution  corresponds  to  some  timed 
trace  s.  Then  strip(s)  is  a  trace  of  P,  so  P  has  some  execution  giving  rise  to 
strip(s).  Now  since  T  is  untimed/timed  similar  to  itself,  (P  ||  T)  \  E  has  an 
execution  which  takes  T  through  untimed  states  that  are  untimed/timed  similar 
to  the  timed  states  T  passed  through  in  the  successful  execution  of  [Q  ||  T)\  E, 

.  .  .  V 

so  it  reaches  a  state  in  which  an  — >u  transition  is  possible.  Thus  P  may  T. 

W  □ 

In  the  failures/divergences  model,  P  C  Q  is  equivalent  to  P  must.  T  =>  Q  must  T 
for  any  T.  Again  by  analogy,  we  characterise  an  operational  version  of  timed 
refinement: 

Definition  4.6  P  £  Q  is  defined  by 

P  QjQ  <=>  V  T  :  P  must..  T  =>  Q  must,  T 

a 

This  formulation  of  refinement  is  equivalent  to  the  denotational  version  of  failures 
refinement. 
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Theorem  4.7  P  Q  P  C U/K TJ  Q  □ 

Proof  “=»”  If  P  Q  then  either  (1)  there  is  some  (s,[ti,oo)  x  X)  € 

Tti[Q\  with  (strtp(s),  X)  $  Tuf[P],  or  (2)  there  is  some  infinite  trace  s  such 
that  (s,  {})  €  PtiIQ]  and  strip(s)  £  Tui[P]- 

1  Let  s  —  ((tj  ( t„ ,  a„)),  and  let  to  ~  0.  Define 

Ti  =  Wait  ( t ,  -  tj_i) ;  ((a*  — *  Ti+J)  >  u>  — >  Stop))  0  <  i  <  n 
Tn+i  =  Wait  (u  —  tn) ;  x  :  X  — >  u  — ►  Stop 

If  (P  ||  Tj)  \  E  has  an  execution  that  is  not  successful,  then  the  con¬ 
tribution  from  P  must  correspond  to  the  failure  ( strip (s ),  X),  yielding  a 
contradiction.  Thus  P  must..  Tj .  On  the  other  hand,  Q  has  an  execu¬ 
tion  corresponding  to  (s,  [ti,  oc)  x  ^f),  and  so  (Q  ||  T)  \  E  does  have  an 
unsuccessful  execution,  thus  ->(Q  mustf  T). 

2  Let  s  =  ((tj ,  dj ),...,  (ti,  o,), .. .).  Then  let  the  trace  during  an  interval 
[n,  n  +  /  )  be  given  by  ((t„j,anj), . . . ,  (tnm,  anm)).  This  must  be  finite  for 
any  interval,  since  the  trace  s  is  finitely  variable,  i.e.  its  restriction  to  any 
finite  interval  is  finite.  Define 

Tn,»  =  Wait(tn  i  -tn,t-i)  ; 

o 

((a„,  *  — )•  T„ti+1)  >  u)  — >  Stop)  0  <  i  <  m 

Tn,m  +  J  =  Stop 

T„  =  Tn,i  H  Wait  1  ;  Tn+1 

This  formulation  is  required  to  ensure  that  each  of  the  equations  for  the 
Ti  is  I -guarded.)  Then  if  (P  ||  To)  \  S  has  an  unsuccessful  execution, 
the  contribution  of  P  must  correspond  to  strip (s),  yielding  a  contradic¬ 
tion;  thus  P  must,,  To-  However,  ( Q  ||  To)  \  E  does  have  an  unsuc¬ 
cessful  execution,  driven  by  an  execution  of  Q  corresponding  to  s.  Thus 
->(Q  must.  To). 

“<=”  Assume  that  P  EyrTCj;  Q,  and  that  -i(Q  mustf  T).  It  will  be  enough  to 
prove  that  -» (P  must..  Tj.  Consider  an  unsuccessful  execution  of  (Q  ||  T)  \  E. 
There  are  a  number  of  possibilities;  we  consider  the  events  that  were  internalised 
by  the  \  E  abstraction: 

*  Q  ||  T  performs  infinitely  many  events  from  E.  Then  there  is  a  correspond¬ 
ing  infinite  trace  s  of  both  Q  and  T.  Since  P  Cy/R  r/  P,  the  trace  strip(s) 
is  an  infinite  trace  of  P.  If  P  diverges  at  some  point  along  strip(s),  then  this 
will  give  rise  to  an  unsuccessful  execution  of  (P  ||  T)  \  E.  Otherwise,  since 
T  is  untimed/timed  similar  to  itself,  there  is  an  infinite  untimed  execu¬ 
tion  of  T  performing  the  same  events,  and  passing  through  untimed/timed 
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similar  states  to  those  reached  in  the  timed  execution.  Hence  there  is  an 
infinite  execution  of  (P  j|  T)  \  E  where  ui  is  not  possible  in  any  state 
(since  the  possibility  of  w  depends  purely  on  the  state  reached  by  T),  and 
so  -i(P  must,,  T). 

*  Q  \\  T  performs  finitely  many  events  from  E: 

-  If  T  performs  infinitely  many  timed  r  transitions,  then  it  may  perform 
infinitely  many  untimed  ones,  passing  through  similar  states,  so  if  P 
does  not  diverge  (leading  to  an  unsuccessful  execution)  then  this  will 
yield  an  unsuccessful  execution  of  (P  ||  T)  \  E. 

—  If  T  performs  finitely  many  r  actions,  then  it  will  to  arrive  in  a 

final  state  T' .  Any  events  that  T'  is  able  to  perf  3  blocked  by 

Q  for  all  time,  and  so  P  (if  it  does  not  diverge)  n  ach  a  stable 
state  P"  in  which  none  of  those  events  are  possible.  Since  T  may 
by  untimed  transitions  reach  a  state  T"  untimed/timed  similar  to 
T',  T"  is  also  unable  to  perform  those  events  that  T'  was  unable 
to  perform,  and  so  P"  ||  T"  will  be  unable  to  progress.  Thus  the 
execution  from  P  ||  T  to  P"  ||  T"  is  maximal,  and  furthermore  is 
unsuccessful. 

□ 


5  A  simple  example 

The  well-known  alternating  bit  protocol  is  a  useful  common  example,  since  it 
has  been  treated  by  so  many  different  formalisms  that  it  provides  a  means  of 
comparing  and  contrasting  them.  We  will  use  it  here  simply  to  illustrate  some 
of  the  techniques  presented  earlier. 

The  untimed  alternating  bit  protocol  consists  of  a  sender  and  receiver  commu¬ 
nicating  over  two  lossy  channels.  The  nature  of  a  generic  lossy  channel  may  be 
specified  at  the  untimed  level  using  the  infinite  traces  model.  The  specification 
SM  on  a  medium  Min,0ut  with  input  in  and  output  out  consists  of  three  parts: 

Ml  s  4.  out  ■<  s  4-  m 
M2  out.M  £  X  V  tn.M  n  X  =  {} 

M3  #(u  f  in)  =  oo  =>  #(u  f  out)  =  oo 

Ml  simply  states  that  the  sequence  of  messages  passed  on  channel  out  should 
be  a  (not  necessarily  contiguous)  subsequence  of  those  passed  on  channel  in,  so 
messages  may  be  lost  but  not  corrupted;  M2  states  that  at  least  one  of  input 
and  output  should  not  be  refused  (where  X  is  the  refusal  set)  ;  and  M3  i-~  a 
fairness  condition  that  requires  that  output  should  not  be  lost  infinitely  often. 


The  requirement  we  have  of  the  entire  system  is  that  it  should  behave  as  a 
(one-place)  buffer.  Our  specification  is 


SPEC  =  s  |  out  <j  s  |  in 

A  s  |  out  =  s  4  in  =>•  in.M  n  X  =  {} 
A  s  4  out  <  s  4  ^  out.M  £  X 

The  network  used  is  pictured  as  follows: 


The  basic  idea  of  the  protocol  is  to  add  an  extra  bit  to  each  of  the  messages  sent 
along  the  lossy  channels  which  alternates  between  0  and  1 .  The  sending  process 
sends  multiple  copies  of  each  message  until  it  receives  an  acknowledgement .  As 
soon  as  the  receiving  process  gets  a  new  message  it  sends  acknowledgements  of 
it  until  the  next  message  arrives.  The  two  ends  can  always  spot  a  new  message 
or  acknowledgement  because  of  the  alternating  bit. 

The  two  media  are  described  as  Ml  =  Ma,b  and  M2  —  MCjd,  passing  messages 
from  a  to  b,  and  from  c  to  d 

This  strategy  may  be  captured  by  the  following  CSP  descriptions  of  the  sender 
S  and  the  receiver  R.  We  set  R  =  R(0 )  and  5  =  S(0),  where  for  s  €  {0, 1 } 
and  x  in  the  set  of  messages  M  we  define 

5(s)  =  inlx — ►S'(s,x) 

S'{s,x)  =  a!(s,x) — >5'(s,r) 

□  d?s  —+  S(J) 

□  dTs  — >  a\(s,x)  — >  S'(s.x) 

R(s)  =  6?(s,x)  — >  out \x  — >  c!s  — ►  /?(s) 

□  6?(s,  x)  — »  c!s  — >  R(s) 

The  entire  network  consists  of  the  parallel  combination  of  the  sender  and  receiver 
together  with  the  two  media;  and  the  channels  o,6,c,  and  d  are  all  made  internal. 

NETWORK  =  ((S  |  R)  s||{a,6,c,d}  (Ml  |  M2))  \  {a.  b,  c,  d} 

Since  the  sender  and  receiver  operate  asynchronously,  and  the  media  also  operate 
asynchronously,  their  combinations  may  be  modelled  using  the  interleaving  op¬ 
erator  I,  and  the  network  considered  as  the  parallel  combination  of  the  protocol 
and  the  media. 


An  analysis  at  the  untimed  level  establishes  that  the  system  is  livelock-free, 
essentially  because  of  the  fairness  of  the  media  which  cannot  lose  an  infinite 
sequence  of  messages.  It  is  also  deadlock-free:  if  5  cannot  make  progress,  then 
it  must  be  waiting  for  both  media,  which  must  therefore  both  be  ready  to  interact 
with  R,  and  so  R  is  able  to  make  progress.  Finally,  it  is  straightforward  to  show 
that  it  is  functionally  equivalent  to  a  one-place  buffer. 

Timed  descriptions  of  the  alternating  bit  protocol  commonly  employ  a  timeout 
in  the  description  of  the  sender  process,  since  the  intention  is  that  the  sender 
should  wait  for  an  acknowledgement  and  then  retransmit  a  message  if  this  does 
not  arrive  within  a  certain  interval.  But  in  fact  there  is  no  need  to  withdraw 
the  capability  of  receiving  a  message  on  the  acknowledgement  channel  simply 
because  a  retransmission  has  been  enabled,  and  so  at  the  untimed  level  this 
behaviour  may  be  modelled  as  a  choice. 

To  provide  a  timed  refinement  of  the  protocol,  we  wish  to  preserve  correctness  of 
the  system.  The  most  general  form  of  correctness  that  could  be  preserved  by  a 
timewise  refinement  would  be  for  timed  versions  of  the  media  to  meet  simply  the 
translations  of  the  untimed  specifications  with  no  further  constraints.  Thus  we 
prefer  not  to  impose  the  restriction  on  the  media  that  they  are  non-retracting. 
A  timed  version  TS  of  the  sender  process  may  be  obtained  simply  by  including 
a  delay  t  before  retransmission  of  a  message.  The  length  of  this  delay  will  be 
influenced  by  such  factors  as  the  length  of  time  before  an  acknowledgement 
would  be  expected  to  arrive,  and  the  reluctance  to  send  unnecessary  messages. 
The  timed  receiver  process  TR  still  behaves  sequentially,  and  has  no  time-critical 
behaviour. 

Some  small  delays  e  are  introduced  to  ensure  that  the  recursive  loops  are  time- 
guarded.  (These  play  the  role  of  the  original  S  delay  enforced  by  event  prefix  in 
earlier  versions  of  timed  CSP  [ReR86]). 

TS(s )  =  »n?x  — >  TS'(s,x) 

TS'(s,x)  =  Wait  t ;  o!(s,  x) — *•  TS'(s,x) 

□  d?s  -4  S(s) 

□  dTs  —4  a!(s,x)  — >  S'(s,x) 

R(s)  =  6?(s,  x)  — 4  out\x — >  c!s — >l?(s) 

□  6?(s,  x)  —4  c!s  — >  R[s) 

Given  two  timed  media  TM1  and  TM2  that  meet  the  timed  translation  ot  SM , 
by  completeness  there  are  two  untimed  media  Ml  and  M2  which  meet  SM  and 
which  are  refined  by  TM1  and  TM2.  Then  Ml  |  M2  C.U[nT[  TM1  |  TM2. 
Also,  by  Theorem  3.5,  and  since  delays  may  be  introduced  into  an  untimed 
description  to  produce  a  timed  refinement,  and  no  use  has  been  made  of  the 
synchronous  parallel  operator,  we  have  that  S  |  R  QVIn  TI  TS  |  TR.  Further¬ 
more,  both  the  sender  and  the  receiver  are  non- retracting  and  prompt,  and  so 
TS  |  TR  is  also  non-retracting  and  prompt.  Thus  the  timed  network 

TNETWORK  =  {(TS  I  TR)  E||K (TMt  |  TM2))  \  {a,  b,  c,  d} 


is  a  timewise  refinement  of  the  untimed  network,  and  so  it  must  be  a  one-place 
buffer.  Thus  the  functional  correctness  of  the  timed  network  may  be  deduced 
from  an  untimed  analysis. 

Of  course,  to  do  an  analysis  of  the  timing  behaviour  of  the  network  it  would  be 
necessary  to  use  the  full  power  of  the  timed  model.  To  consider  the  maximum 
time  between  input  and  output  it  is  necessary  to  know  for  how  long  it  is  neces¬ 
sary  to  input  messages  into  the  media  before  output  can  be  guaranteed;  and  to 
optimise  the  value  of  the  timeout  t  it  is  necessary  to  know  the  expected  delay 
in  the  media  of  a  successfully  transmitted  message.  The  technique  of  timewise 
refinement  cannot  contribute  to  these  concerns;  its  role  is  rather  to  complement 
them  by  allowing  the  appropriate  use  of  more  abstract  methods  for  some  anal¬ 
ysis  of  aspects  of  a  system’s  behaviour,  even  when  other  aspects  require  the  use 
of  the  more  complicated  timed  models. 

6  Discussion 

We  have  seen  how  verifications  of  specifications  can  be  mapped  up  the  CSP  hi¬ 
erarchy  of  models,  and  also  an  example  of  how  general  laws  might  be  translated. 
Other  properties  (such  as  deterministic  or  compact)  do  not  translate  in  general. 
For  example,  the  deterministic  untimed  process  a  — ►  Stop  is  refined  by  the 
non-deterministic  timed  process  a  — ►  Stop  n  Wait  5  ;  a  — ►  Stop ,  which  can 
perform  or  refuse  to  perform  a  at  time  2 . 

There  has  also  been  some  work  in  this  area  in  the  contexts  of  timed  CCS  and  of 
timed  ACP.  Larsen  and  Yi  [LaY93]  have  proposed  a  notion  of  time-abstracting 
bisimulation,  which  specifies  when  timed  processes  are  equivalent  modulo  tim¬ 
ing  behaviour.  Thus  one  process  may  be  used  to  specify  simply  the  functional 
behaviour  of  a  system  by  requiring  that  any  proposed  implement  ation  should  be 
time-abstracting  bisimilar  to  it.  They  prove  that,  time-abstracting  equivalence 
is  decidable  for  a  timed  CCS  calculus  [Wan90],  in  contrast  to  the  refinement 
relation  presented  in  this  paper,  which  is  not  decidable.  Interestingly,  they  also 
establish  that  time-abstracting  congruence  (i.e.  equivalence  in  all  contexts)  is 
standard  timed  bisimulation.  The  corresponding  result  for  this  paper  is  that  un¬ 
timed  traces  congruence  for  timed  processes  is  the  same  as  (finite)  timed  failures 
equivalence. 

Baeten  and  Bergstra  [BaB92]  have  considered  the  embedding  of  untimed  ACP 
into  real  time  ACP.  They  propose  a  translation  of  untimed  ACP  into  the  timed 
setting,  for  example  translating  o  to  f(>0  a(t ):  an  untimed  a  process  specifies 
nothing  about  the  time  the  a  should  occur,  so  it  translates  to  the  timed  process 
that  can  perform  an  a  at  any  time.  This  is  also  the  philosophy  of  this  paper. 
They  also  consider  the  translation  of  certain  identities  of  ACP  into  the  timed 
framework;  this  supports  reasoning  at  a  higher  (untimed)  level  of  abstraction  to 
be  incorporated  when  detailed  reasoning  about  timing  issues  is  also  required. 
Earlier  work  [Sch89]  investigated  the  relationship  between  the  untimed  models 
and  the  standard  timed  failures  model  of  [Ree88j.  The  difficulties  encountered 
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in  using  that  model  to  treat  infinite  behaviour  led  to  the  development  of  the 
infinite  failures  model,  which  supports  a  more  natural  treatment  of  timewise 
refinement  from  the  untimed  models. 

We  are  also  investigating  other  refinement  relations.  In  particular,  a  relation 
between  the  failures/divergences  model  and  the  timed  failures  stabilities  model 
that  treats  instability  as  divergence  has  that  ail  CSP  operators  preserve  re¬ 
finement;  and  this  refinement  relation  is  complete  for  stable  processes.  When 
stability  considerations  are  important  then  this  relation  would  be  the  natural 
one  to  use.  Of  particular  interest  is  the  relationship  between  the  timed  models 
and  the  timed  probabilistic  models  for  CSP  developed  by  Lowe  [Low91].  Work 
has  already  been  initiated  in  this  direction  (see  e  g.  [Low92]),  which  it  seems 
should  fit  into  the  framework  presented  in  this  paper. 

The  underlying  theory  presented  here  is  of  course  more  general  than  simply 
CSP,  and  should  be  applicable  wherever  processes  are  modelled  in  terms  of  the 
behaviours  they  may  exhibit.  It  may  for  example  be  applicable  to  Gerth  and 
Kuiper’s  interface  refinement  [GKS92].  I  feel  that  the  theory  will  be  useful  only  if 
refinement  relations  can  be  established  at  the  syntactic  level,  since  if  refinement 
can  be  shown  only  by  examining  the  semantics  directly,  then  verifying  abstract 
specifications  of  processes  via  refinement  is  unlikely  to  be  much  easier  than 
performing  the  verification  directly. 
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A  Semantic  models  and  functions 

Traces 

The  traces  model  M  ut  is  defined  to  be  those  sets  of  traces  that  are  non-empty, 

and  closed  under  prefixing. 


I 
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The  semantic  function  Tut 


The  semantic  function 

Put  :  CSP  — +  M  UT 
is  defined  by  the  following  set  of  equations: 


PuT[Chaos] 
Put  [Stop] 
PuT[Skip\ 
Put[P  ;  Q] 


Tut[P  t>  0] 
Put[P  a  Q] 
Put[o  :  A  — ►  Pa] 

PvAr\teIp,] 
Put[P  Ja  Q] 

Put[P  1  #] 

Put[P  \  A] 
PutU(P)] 
PutU1  (P)] 

PutIpXoF(X)] 


{tre  E*} 

{()} 

{().(y)} 

{tr  |  tr  e  P ut[P]  A  tr  f  {vO  =  ()} 

U 

{trp^trQ  j  trP'~'(s/)  G  Put[P]  A 

tr  f  iV)  =  0  A  trq  G  Put[Q]} 

Put[P]  U  Put[Q] 

P  ut[P]V  P  ut[Q] 

Ua€/l{(<,)'~'<r  I  tr  €  Put[PoI } 

Uie/ Pur[Pi] 

{tr€(AUB)m  I  tr\  A  €  Put[P]  A 
tr  f  B  €  Put[Q]} 

{tr  |  3  trp  €  6  PutIQ 1  • 

fr  interleaves  (trp,  trq)} 

{fr  \  A  |  tr  G  Put[P]} 

{f(tr)  |  tr  6  Put[P\) 

{tr  j  f{tr)  G  Put[P}} 

U^N  PutIF" (Stop)] 


A.l  Untimed  infinite  traces,  failures,  and  divergences 

The  process  axioms  given  in  [Ros88]  correspond  to  the  following  properties  re¬ 
quired  of  a  set  5  for  it  to  correspond  to  the  set  of  observations  of  some  process. 
Thus  the  semantic  model  M  ui  is  the  collection  of  sets 

S  C  {/}  x  (E*  x  P(E))  U  {d}  x  E*  U  {i}  x 


( 


(ordered  under  reverse  inclusion)  that  meet  these  eight  axioms. 

(1)  (/>(s~U}))€S  =>(/.(*.{}))  €5 

(2)  (f,(t,X))eSA  Y  C  X=>(f,(t,Y))eS 

(3)  (f,(t,X))  G  S  A  Va  G  Y  •  (/,  {}))  g  5  =>  {/,(*,  A' U  Y))  G  5 

U)  (d,s)€5=>(d,s^t)€5 

(5)  (<#,*)  €S=>(/,(«~t,*))€S 

(6)  (i,s^u)G  5  =>(/,(«,{}))  €5 

(7)  (d,s)  €5=>(.,s^u)  G  S 

(*)  (/,(«,{}))  €  5  =>  3  T.  (V<  G  T. 

(/,  (s~t,  {a  I  t(a)  $  T)))  G  S  A  {(i,  |  u  G  T}  C  S) 

Here  T  =  {u  G  £“  |  V t  <  u.t  G  71},  where  T  ranges  over  finite  prefix  closed 
sets  of  finite  traces. 

The  semantic  function  Tui 

The  function  Tui  is  defined  in  terms  of  three  functions  Tud,  Tuf ,  and  Pl< 
yielding  divergences,  failures,  and  infinite  traces  respectively.  It  is  then  given  by 

Tvi{P\  =  {(d,tr)\treTuDin} 

U{(f,(tr,X))\(tr,X)eFuFlP}} 

U{(«»|«G*/[Pl} 

The  semantic  function  Tud 
The  semantic  function 

Tud  '■  CSP  — »  M  ud 

is  defined  by  the  following  set  of  equations: 

Tuo[Chaos]  =  {tr  \  tr  G  £*} 

TuD^Stop ]  =  {} 

Tuo\.Skip\  =  {} 

Pvd\P  5  Q]  =  {tr^tr'  |  tr  G  Tud\P 1  A  tick  g  a(tr)  A  tr'  G  £*} 

U 

{tr-tr1  |  («r^(V),  {})  G  TUF[P]  A  V 

A  tr'  G  Tud\Q\) 

Xud[P  >  Q]  =  Tud{P]  U  TudIQ} 

Tud[P  d  Q]  =  Tud\P\  U  Tud\Q\ 


?UD[a  ■■  A  - ¥  Pa]  =  !  tr  €  TvolPaYs 

■FvD\r\i^[  Pi\  =  \J^l^UD[P,\ 

Fud\P  a\\b  0]  =  {tr-tr1  I  (tr  f  A,  {})  €  Tuf\P\  A  tr  \  B  e  TVD\Q\ 

V 

tr  \  A  G  TudIP]  A  (tr  f  B,  {})  €  Puf'lQ]} 

Fud\P  1  Q\  =  {tr  |  3  trp  G  Tud[P),  (trQ,  {})  €  Tvf\Q\  • 

tr  interleaves  (trp,  irg)} 

U 

{tr  |  3(trp,  {})  G  trQ  G  • 

tr  interleaves  (trp,  trQ)} 

Fud[P\A\  ==  {tr  \  A'-'tr1  |  tr  €  ?ud\PVs 
U 

{u  \  A~tr'  |  «  G  TjIP]  A  #(u  \  .4)  <  oo} 

?W>|[f(P)]  =  {/(*r)~tr'  |  tr  G  ^w>lP]} 

^VdITV)!  =  {tr\f(tr)€FUDlP]} 

The  semantic  function  T[ 

The  semantic  function 

Ti  :  CSP  — >  M  i 

is  defined  by  the  following  set  of  equat  ions: 

Tj\ Chaos\  =  {u  |  u  G  £“} 

TllStop ]  =  {} 

TllSkip]  ~  {} 

MP  \Qi  =  {u  |  u  G  A  ■y/  ^  <t(u)} 

U 

{fr^u'  |  (tr^(y/),  {})  G  PufIP}  A^  <r(tr) 

Au'G  ^/[QD 

u 

{tr^u  j  tr  G  ^V£>|[P  ;  QJ) 

Ti\P  >Q\  =  ^[PJU^/IQ] 

^/[PoQ]  a  *>[P]u*>[Q] 

^■/[a:>l  - >  Pol  =  Ua€/t{(a)'^tl  I  U  €  -^/iPaJ} 


*>ini6/*i  =  u.6/^1^] 

Ti\pa\\bQ\  =  {u\u\  Azr,[p]Au\  [Q)er,iQ}) 

u 

{tr^u  |  tr  £  Tud\P  ^IIb  Ql) 

Ft[plQ\  =  {«  |  3 up,  uq  •  (#uP  =  oo  V  #uQ  =  00} 

A  u  interleaves(up ,  uq) 

A  (up,  {})  £  /"yp[P]  V  up  £  .P/[P]| 

A  ( Uq ,  {})  £  Tuf[Q\  V  uq  £  -P/|[<2]} 

U 

{fr'-'u  |  tr  £  .Pf/£>lP  |  Q]} 

*/[P\4l  =  {u  \  A  |  u  £  P7[P]  A  #(u  \  d)  =  00} 

U 

{/r^u  |  tr  £  Tud\P  \  d|} 

'  fllf(P)]  =  {/(«)~  I  «  €  P7fP]} 

U 

{fr~ti  |  Ir  £  *VD[f(J>)]} 

^/IT^P)]  =  {«l/(«)€^/|Pl} 

The  semantic  function  Tuf 
The  semantic  function 

Tuf  '■  CSP  — t  M  uf 
is  defined  by  the  following  set  of  equations: 

TUF{Chaos]  £  {{tr,  X)  |  tr  £  E*  A  X  C  E} 

TUF[Stop]  £  {«),X)|XCE} 

TUF\Skip\  £  {«>,*)!>/*  X} 

U 

{«\/),X)|.Y  CS) 

^f[P;Q]  =  {(<r,X)|  y/$<r(tr)  A 

(<r.Xu{y})  €JTlfF[F]} 

U 

{(tr^tr'.X)  |  yj  <£(r(tr ) 

A(tr^(V),{})GXtrp[Pl 

A(tr',X)£^pIQ]} 

U 

{{tr,X)\treTUD[P;Q]} 
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?vf[P  t>  Q]  =  FufIQ\  U  {( tr ,  A  )  |  (tr,  A')  6  ^f[P1  A  tr  ^  ()} 
Fuf{P  □  Q\  =  {((>,X)|«),X)G  TUF{P}r\TuFm) 
u 

{(<r,  X)  !  tr  ?  0  A  (tr,  A')  G  Tvf\P\  U  ^pJQ]} 

>Pa]  =  {«>,X)|XnA  =  {}} 

U 

Ua^{((«P^-V)  |  (tr,  X)  6  TufIPoI) 

*W[n.e/P<l  = 

^t/p[P  /iIIb  Q]  =  {(*r,  Z)  I  (tr  r  A,  X  r  A)  G  JVF[P]  A 

(tr  (  B,  K  f  B)  €  PVf[Q!  A 
(X  r  A)  U  ( Y  f  B)  —  Z  \  A  U  B  A 
tr  =  tr  f  (.4  U  B)} 

U 

{(tr.XJItreT-yDlP^HB  <?J} 

Puf{P  ffi  Qi  =  {(tr,  X)  |  3  trp,  t?-Q  •  tr  interleaves(trp ,  trq) 

A  (trp,  X)  G  %[PJ 
A  (ti'Q,  X)  G  Pl/f[QJ} 

U 

{(fr,X)|fr€^DtP||QJ} 

PufIP\A\  =  {(tr\A,X)|(tr,XU.4)G^F[P]} 

U 

{(tr,  X)  |  tr  e  \ 

^ufU(P) 3  =  {(/(tr),X)  |  (<r,/_;(A'))  G  Fuf\.P\) 

U 

{(tr,X)|trGPj/Bl[{(P)l} 

Puf\}~  *  (P)J  =  {(tr,X)|(/(fr),/(X))G^p[P]} 

The  least  fixed  point  is  given  by 

Jy/[/iXoF(X)l  =  fie.  FudFa (Chaos)} 

where  a  ranges  over  all  ordinals;  and  for  limit  ordinals  7,  we  define  the  semantics 
T ui [P7 ( Chaos ) J  to  be  the  least  upper  bound  in  Mm  of  the  set  of  processes 
{Pui[.Fa (Chaos) J  |  a  <  7}.  It  is  established  in  [Ros88]  that  this  is  well-defined. 


i 


|  Infinite  Timed  Failures 

.  The  information  ordering  on  behaviours  is  defined  as  follows: 

(s',  K')  ■<  ( s ,  N)  o  3  s"  •  s  =  s'-s"  A  N1  C  K  <d  begtn(s") 

f  We  formally  define  Mti  to  be  those  subsets  S  of  x  IRSET  satisfying 

axioms  1-3  given  below,  and  axiom  4  to  follow. 


1. 

(0.0)  €5 

2. 

(j,H)eSA(s',H')X 

(s,N)=>(s',N')GS 

3. 

( s ,  N)  G  5  =>■ 

3 We  IRSET* 

HCN'A  (s,  K')  g  5  A  V(f ,  o)  G  R+  x  S  • 

(Cl)  (t,  a)  <£  N'  =>  (s  «  <~((<,a)),N'<l  t)  e  S 

A 

( C2 )  ( t  >  0  A-.3e  >  0*  ((t-e,t)  x  {a}  C  N')) 

=>(«<!  r((l,a)),N'<l  0  €  S 

Axioms  1  and  2  require  that  an  element  of  M  ti  must  be  a  non-empty  downward 
closed  set  of  behaviours.  Axiom  3  requires  that  on  every  execution,  timed  events 
must  be  either  possible  or  refusible. 

A  set  of  behaviours  T  is  finitely  variable  if  for  every  time  t,  the  set  T  <1  t  is  a 
complete  partial  order  under  X.  A  set  of  behaviours  T  is  closed  if 

T  =  T  =  {(s,N)  |  V  <  •  (s,  N)  <  G  T) 

Let  CC  be  the  set  of  finitely  variable  closed  sets  of  behaviours  satisfying  axioms 
1-3.  Then  axiom  4  states  that 

4.  s  =  n{<?eC£|SCQ) 


The  semantic  function  Tti 

The  semantic  function 

Tti  :CSP—*M  TI 

is  defined  by  the  following  set  of  equations: 

TnlChaos]  =  {(s, N)  |  a  G  TS<  A  N  G  IRSET } 

Tti  IS  top]  =  {((),*)  \K  e  IRSET} 

TrilSkip]  =  {«),«)  |  >/*<r(N)} 

u 

{(((*,  V)).K)  I  0  Ax/  ^<r(KT  [0,«m 


i 

1 
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FtiIP  ;  Q] 


(<>,><)  1  (tt  u  «<>%»/<«,  K))  X  {,/)))  €  7r,lf"l 

V 

s  =  sp^sq  A  \/  ^  ^(sp)  A 

(sq,N)  -  <  G  ^T/IQ]  a 

(*p  <(^vO},N<lt  U  ([£,/)  x{v/}))  € 


?Tl[P  >  Q]  =  {(«.»)  I  begin(s)  <  t0  A  («,»)  €  ^T/[P]} 

U 

{(5,  N)  |  begin(s)  >  <0  A  ((),  N  <1  <o)  € 

A 

(«,»)-  to  €  ^r/[Q]} 

^T/[P  □  <?|  =  {«),«)  I  (0>K)  G  /r/Mn^r/[(?l} 

{(s,N)  |  a  /  <>  A  (s, K)  G  fT/Mu^lQ] 
begin(s))  G  ■T'r/I^l 

JFt/[«  :  A  — >  Pa]  =  {«),»)  Mn*r(K)  =  {}} 

U 

{«(M)P(s  +  0,N)l 

aGp4A<>0Aj4n  <r(K  O  <)  =  {} 
A  (s,H  -  t)  G  ^rr/[^’(°)l} 


?ti\P  aIIb 


{(s,N)  I  3Np,**Q  • 

K  f  (A  U  B)  =  (Np  r  A)  u  (**<?  f  s) 
As  =  sf  (4UB) 

A  (s  f  x4,M  eTrilP} 

A  (5  f  B,Hq)  £Pti[Q]  } 


FtiIP  1  Ql  =  {(5.^)  I  3sP’sQ  • 


s  G  Sp  III  S(3  A 
(sp,N)  G  ^T/Pl  A 
(sq,N)  G  /t/IQI) 


.Ft/[/>\,4]  =  {(s\A,X)\(s,KU([0,oo)xA)erTilP}} 

PtiV{p)]  =  {(/(*).«)  I(s./_,W)  e^T/Pl) 
^T/IT^)]  =  {(S>N)  I  -•  6 


The  least  fixed  point  is  given  by 

TtiUXoF{X)\  =  n«^T/lFa(  Chaos)! 


where  a  ranges  over  all  ordinals;  and  for  limit  ordinals  7,  we  define  the  semantics 
JrTi[F'> (Chaos)]  to  be  the  least  upper  bound  in Mti  oHTTi[Fa  (Chaos)]  |  q  < 
7}.  It  is  established  in  [MRS92]  that  this  is  well-defined. 
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Abstract.  In  this  paper,  we  present  a  relativised  compositional  proof  system 
for  real-timed  processes.  The  proof  system  allows  ns  to  derive  statements  of 
the  form  A  h  E  =  F,  where  processes  E,  F  may  contain  free  time  variables 
and  A  is  a  formula  of  the  first  order  theory  of  time  domain.  The  formula 
A  h  E  =  F  means  that  A  is  a  condition  for  process  £  to  be  bisimilar  to 
process  F.  The  proof  system  is  sound  and  is  independent  of  the  choice  of 
time  domain,  allowing  time  to  be  discrete  or  dense.  It  is  complete  for  finite 
terms,  i.e.  terms  without  recursion,  over  dense  time  domains.  It  is  also  shown 
complete  for  a  sublanguage  over  discrete  time  domains.  We  discuss  how  to 
restrict  occurrences  of  time  variables  to  obtain  the  sublanguage.  We  finally 
discuss  extensions  of  the  proof  system  for  recursively  defined  processes. 


1  Introduction 

Process  algebras,  such  as  CCS  (Mil80,  Mil89],  CSP  [Hoa85]  and  ACP  [BK85],  are 
structured  description  languages  for  concurrent  systems  and  have  a  variety  of  well 
developed  semantics  theories  and  verification  methods.  However,  none  of  them  con¬ 
sider  temporal  aspects  of  systems.  Instead  they  deal  with  the  quantitative  aspects 
of  time  of  systems  in  a  qualitative  way.  There  are  many  systems  and  applications 
for  which  purely  qualitative  specification  and  analysis  are  inadequate.  The  examples 
are  real-time  systems,  such  as  the  fault  tolerant  systems  and  safety  critical  systems, 
in  which  the  interactions  with  the  environments  must  satisfy  some  time  constraints. 

Recently  there  are  some  attempts  of  introducing  real  time  in  well  developed 
process  algebras  [BB91,  CAM90,  Che92a,  MT90,  RR88,  Wan91].  In  [Che92a],  we 
have  proposed  a  timed  calculus,  Timed  CCS,  which  is  an  extension  of  Milner’s  CCS 
with  time.  We  make  no  assumption  about  the  underlying  nature  of  time,  allowing 
time  to  be  discrete  or  dense.  The  time  variables  in  the  language  allow  us  to  express 
a  notion  of  time  dependency  which  says  that  time  for  some  actions  depends  on  the 
happening  time  of  their  previous  actions.  For  example,  in  process  a(<)o5. 6(s)J5-<.  nil, 
the  time  for  action  6  depends  on  the  happening  time  of  action  a.  For  different 
happening  time  of  a,  the  time  for  b  is  different.  In  [Che91a,  Klu91],  sound  and 
complete  proof  systems  for  Timed  CCS  and  a  restricted  language  of  ACPpI  have 

*  The  author  is  supported  by  grant  GR/G54399  of  the  Science  and  Engineering  Research 
Council  of  the  UK.  Most  of  the  work  was  done  when  the  author  was  in  LFCS,  University 
of  Edinburgh. 


been  proposed.  However  the  proof  systems  are  based  on  some  powerful  infinite  rules. 
If  in  Timed  CCS,  the  corresponding  rule  has  a  form 


Vu.u  <u  <w  —*  E{u/t }  =  F{u/<} 
a(t)*E=a(t):.F 

Since  time  may  be  dense,  the  proof  systems  ,  although  sound  and  complete,  are  only 
of  theoretical  interest. 

In  [Che92a],  we  use  a  notation  A  |=  E  ~  F  to  represent  that  formula  A  is  a 
condition  for  process  E  to  be  bisimilar  to  process  F.  We  say  A  is  a  condition  for  E 
to  be  bisimilar  to  F  if  for  any  time  instants  tii,  •  •  • ,  un,  A{ui/tx,  ■  ■  • ,  u„/t„}  implies 
E{u\/t\,-  •  ■  ,un/tn}  ~  F{ui/ti,-  •  •  ,un/tn},  where  A,  E  and  F  contain  at  most 
free  time  variables  fi, • • •,<„.  In  this  paper,  we  present  a  relativised  compositional 
proof  system  in  which  we  derive  statements  of  the  form  A  I-  E  —  F.  The  formula 
A  I-  E  =  F  means  that  it  is  provable  that  A  is  a  condition  for  E  to  be  bisimilar  to  F. 
The  proof  system  is  sound  and  is  independent  of  the  choice  of  time  domain,  allowing 
time  to  be  discrete  or  dense.  It  is  complete  for  finite  processes  over  dense  time 
domains.  It  is  also  shown  complete  for  a  sublanguage  over  discrete  time  domains. 
We  discuss  how  to  extend  the  proof  system  with  some  form  of  inductive  rule  for  the 
proofs  of  recursively  defined  processes.  There  is  no  infinite  proof  rule  in  the  proof 
system  and  therefore  it  is  realistic  and  hopefully  useful. 

We  mainly  focus  on  the  finite  terms,  i.e.  those  without  recursions.  In  section  2,  we 
give  a  formal  description  of  the  syntax  and  semantics  of  a  simple  real-time  calculus. 
We  define  strong  bisimulation  for  timed  processes.  In  section  3,  we  present  the  proof 
system  and  show  by  an  example  how  it  works.  In  section  4,  we  show  soundness  of 
the  proof  system.  We  also  show  completeness  of  the  proof  system  over  dense  time 
domains  and  completeness  for  a  sublanguage  over  discrete  time  domains.  We  discuss 
how  to  restrict  occurrences  of  time  variables  to  obtain  the  sublanguage.  Finally,  we 
discuss  in  section  5  extensions  of  the  proof  system  with  inductive  rules  for  the  proof 
of  recursively  defined  processes.  We  show  by  an  example  how  an  extended  proof 
system  works  for  recursively  defined  processes. 

All  proofs  are  omitted  and  can  be  found  in  [Che92b]. 

2  The  Language 

We  only  consider  here  a  simple  timed  calculus,  a  sublanguage  of  Timed  CCS  [Che92a] . 
This  is  done  to  facilitate  an  elegant  presentation  of  the  key  ideas  of  the  paper.  There 
is  no  difficulty  in  extending  the  ideas  to  include  both  restriction  and  relabelling. 


2.1  The  Syntax 

To  give  a  formal  description  of  the  simple  timed  calculus,  we  presuppose  a  set  A, 
ranged  over  by  a,  b,  of  atomic  actions  not  containing  r.  Let  Act  =  A  U  { r },  ranged 
over  by  a,  0.  As  in  CCS,  A  can  be  partitioned  into  f,  the  set  of  names,  and  f  = 
{a  |a  6  r),  the  set  of  co-names,  with  the  provision  that  a  =  a.  a  and  a  are  called 
complementary  actions  which  form  the  basis  of  communications  in  our  language, 
analogous  to  CCS.  We  also  presuppose  an  infinite  set  Vi  of  time  variables,  ranged 
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over  by  t,  s,  r.  Let  the  time  domain  be  (7  U  {oo},  <),  where  7  contains  a  least 
element  0  to  represent  the  starting  time  and  <  is  a  linear  order  over  7.  Note  that 
we  make  no  assumption  about  the  underlying  nature  of  time,  allowing  7  to  be  K, 
the  set  of  natural  numbers,  or  ft-0,  the  set  of  the  non-negative  reals.  We  introduce 
oo  to  represent  infinite  time,  where  oo  g  7.  Our  time  expressions,  ranged  over  by  e, 
f,  g,  are  defined  as  follows: 

Definition  2.1 

1  for  any  u  6  7  and  t  G  Vt ,  u  and  t  art  time  expressions; 

2  for  every  u  €  7  and  time  expression  e,  u  X  e  is  a  time  expression;  and 

3  if  e  and  f  are  time  expressions,  then  e  +  f,  e—f,  max(e,  f)  and  min(e,  f)  are 

all  time  expressions,  where  —  is  the  conditional  subtraction,  i.e.  e'—e  =  e'  —  e 
whenever  e  <  e'  and  e'—e  —  0  whenever  e  >  e'. 

Remark  The  decidability  result  of  [Che92a]  justifies  our  decision  on  the  choices 
of  time  expressions. 

By  convention,  for  any  time  expression  e,  we  have  e  <  oo,  oooe  =  oo,  max(e,  oo)  = 
oo  and  min(e,  oo)  =  e,  where  o  is  +  or  — .  We  will  write  e'  —  e  in  place  of  e'—e  when¬ 
ever  e  <  e‘. 

The  process  expressions  of  the  language  are  defined  by  the  following  BNF  ex¬ 
pressions. 

E:~6  |  nil  \  (e)E  \  a(t)l'.  E  |  E  +  F  \E\F 

where  e  is  a  time  expression  and  e'  is  a  time  expression  or  e'  =  oo. 

Note  that  (oo )E  is  not  a  process,  but  we  allow  us  to  write  (oo)6  as  syntactically 
identical  to  nil. 

Process  8  is  a  dead  process  which  neither  performs  any  actions,  nor  idles.  Process 
nil  cannot  do  any  action,  but  idles  any  time.  Time  prefix  (e)E  7  will  behave  as  process 
E  after  a  delay  of  time  e.  Action  prefix  a(t)* .  E  represents  the  process  which  can 
perform  action  a  between  time  e  and  t'  (inclusive),  where  the  time  variable  t  refer  to 
the  happening  time  of  action  a.  Time  variables  of  the  language  allow  us  to  represent 
the  notion  of  time  dependency.  For  example,  a  system  which  can  perform  an  action 
a  followed  by  an  action  6,  where  a  can  occur  at  any  time  and  if  a  occurs  after 
a  delay  of  time  t  then  b  must  occur  within  smother  t  time,  can  be  expressed  as  a 
process  a(<)g°.  6(s)J.  nil  of  the  language.  Summation  E+F  represents  choice  between 
processes  E  and  F.  The  choice  is  made  at  the  time  of  the  first  action  of  E  or  F,  or 
at  time  when  only  one  process  can  idle.  In  the  later  case,  the  process  which  cannot 
delay  is  dropped  from  the  future  computation.  Process  E  j  F  represents  the  parallel 
composition  of  processes  E  and  F.  Each  of  them  may  perform  actions  independently 
or  they  may  synchronise  on  complementary  actions  which  represent  communications 
between  them.  Parallel  composition  is  synchronous  with  respect  to  time  proceeding, 
i.e.  the  parallel  composition  E  |  F  can  delay  time  u  only  when  both  E  and  F  can. 

The  action  prefix  operator  a(t)J  in  a(t)J .  E  binds  all  free  occurrences  of  time 
variable  t  in  E.  This  gives  us,  in  the  usual  sense,  the  notions  of  free  and  bound 
occurrences  of  time  variables.  We  use  fvt(E)  to  represent  the  set  of  all  free  time 

7  Time  prefix  (e)E  is  a  derivable  operator  of  Timed  CCS  [Cbe92a]. 


variables  occurring  in  E.  A  process  E  is  said  to  be  an  agent  if  fvt(E)  =  #.  Let  V 
represent  the  set  of  agents  which  is  ranged  over  by  P,  Q,  R. 

2.2  The  Operational  Semantics 

In  order  to  define  an  operational  semantics  for  the  simple  timed  calculus,  we  use  a 
labelled  transition  system  of  the  form 

C P ,  U  — |o  6  Act  A  u  6  T}) 

The  understanding  of  transition  P-^UP/  is  that  agent  P  performs  action  a  at 
time  v  relative  to  the  previous  action  and  then  evolves  to  P*.  The  transition  P — *UP‘ 
means  that  agent  P  idles  up  to  time  u  without  any  action  and  then  evolves  to  P'. 

To  define  the  transition  rules,  we  first  define  Moller  and  Tofts’  maximal  delay 
time  of  processes  before  any  actions  [MT90]. 

Definition  2.2 

(1)  \6\r  =  0  (4)  |or(t)J*.  E\r  ~  «' 

(2)  |n«7Jr  =  oo  (5)  \E+Ftr  =  max{\E\r,\F\r) 

(3)  \(e)E\r  =  t  +  \E\r  (6)  \E\F\r  =  min[\E\r,\F\r) 

Table  1  presents  transition  rules  of  the  language.  The  rules  are  presented  in 
natural  deduction  style  which  are  read  as  follows:  if  the  transition  or  transitions 
above  the  inference  line  can  be  inferred,  then  we  can  infer  the  transition  below  the 
line.  The  operational  semantics  of  the  language  is  then  given  by  the  least  transition 
relations  and  — where  a  €  Act  and  u  €  T,  defined  in  Table  1. 

2.3  Strong  Equivalence 

We  do  not  wish  to  distinguish  agents  which,  in  some  sense,  have  the  same  behaviours. 
The  notion  of  bisimulation  between  agents  captures  the  idea  of  having  the  same 
behaviours.  We  say  two  agents  are  not  equivalent  if  a  distinction  can  be  detected  by 
an  experimenter  who  interacts  with  each  of  them. 

Definition  2.3  A  binary  relation  S  over  agents  is  a  strong  T -bisimulation  if(P,  Q)  G 
S  implies  that  for  all  a  G  Act  and  u  €  T 

(1)  if  P—^uP1 ,  then  there  is  a  Q1  such  that  Q-^+uQ1  and  ( P Q1)  €  S; 

(2)  if  Q-^+uQ1 1  then  there  is  a  P*  such  that  P-^-*uP'  and  ( P Q ')  G  S;  and 

(3)  \P\t  =  |Qlr. 

We  sag  two  agents  P  and  Q  are  strongly  bisimilar,  denoted  by  P  ~  Q,  if  there  is  a 
strong  T-bisimulation  S  such  that  {P,  Q)  €  S. 

Definition  2.4  For  any  processes  E  and  F  which  contain  at  most  time  variables 
ti,...,t  we  say  E  ~  F  if  for  any  ui,---,u„  €  T  we  have 


E{ui/ti,  ~  F{ui/ti,  -  ,u„/tn} 


t 
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Table  1.  Operational  Semantics 


The  relation  ~  itself  is  a  strong  T-bisimulation,  the  largest  strong  T-bisimulation. 

It  is  an  equivalence  relation,  called  the  strong  equivalence.  Moreover  it  is  a  congru¬ 
ence  relation. 

To  define  a  characteristic  formula  WC(E,F)  for  processes  E  and  F,  we  first 
introduce  a  notion  of  normal  form. 

Definition  2.5  A  process  E  =  +  (e)$  is  in  normal  form  if  for  any 

i  €  /,  ej  <  e  and  Ei  is  also  in  normal  form. 

We  identify  those  formulae  which  are  logically  equivalence,  i.e.  two  formulae  A 
and  B  are  identical  if  A  «-»  B.  Clearly,  for  any  process  E  there  is  a  normal  form  E' 
such  that  E  ~  E'.  The  characteristic  formula  WC(E,  F)  of  E  to  be  bisimilar  to  F 
is  defined  as  follows: 

Definition  2.6  For  any  processes  E  and  F,  let 

tf  =  £>(t.):U  +  (e)*  and  F'  =  +  (/)* 

•€/ 

I 
{ 


be  normal  forms  which  satisfy  E  ~  E'  and  F  ~  F'.  We  define 


I 
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WC(E,F)  W  (e  =  /) A 

/\(Vt(e<  <<A<<eJ-  V  (/;  <  <  A  t  <  /;  A  WC(£,{t/t,},  FyO/s,  })))))  A 

«€/  *i«#i 

/€/ 

•€/ 

It  is  easy  to  see  that  the  characteristic  formula  WC(E,  F)  of  E  to  be  bisimilar 
to  F  is  well  defined.  Moreover  we  have  the  following  property. 

Proposition  2.7  For  any  processes  E  and  F,  WC(E,F)  if  and  only  if  E  ~  F. 

3  A  Proof  System 

We  have  shown  that  for  any  processes  E  and  F,  there  is  a  characteristic  formula 
WC(E,  F)  such  that  E  ~  F  if  and  only  if  WC(E,F).  We  say  a  formula  A  is 
a  condition  for  E  to  be  bisimilar  to  F  if  and  only  if  WC(E,F) — >A.  We  use  a 
notation  A  £=  E  ~  F  to  represent  that  the  formula  A  is  a  condition  for  process  E 
to  be  bisimilar  to  process  F.  In  this  section,  we  describe  a  relativised  compositional 
proof  system  in  which  we  derive  statements  of  the  form  A  h  E  =  F. 

To  simplify  the  presentation  of  the  proof  system,  we  first  introduce  a  notion  of 
time  shift  e  »  E,  which  is  a  relative  version  of  that  of  [BB91]. 

Definition  3.1  For  any  lime  expression  e  and  process  E,  the  time  shift  e  »  E  is 
inductively  defined  as  follows: 

(1)  e»tfd=tf  (4)  e  »  (E+F)d=e  »  E  +  e  »  F 

(2)  e»nil=tnil  (5)  e  »  (E  |  F)  =f  e  »  E  |  e  »  F 

(3)  . » («(of .  e)  * (£<«+</<» 

Note  the  subtlety  in  the  definition  for  e  »  (a(()^ .  E).  It  ensures  that  the  lower 
bound  (/—  e)  +  (max(e,  /')  -  /')  >  0  whenever  e  >  f. 

Table  2  contains  all  axioms  and  Table  3  contains  all  proof  rules.  The  proof  rules 
are  in  the  form 

Si  ...5n 

s 

where  S\ , . . . ,  Sn,  S  are  statements.  The  rule  can  be  read  as:  if  all  premises  Si , . . . ,  Sn 
can  be  derived,  then  the  conclusion  5  can  be  derived. 

We  say  A  I-  X  =  Y  is  derivable  if  it  can  be  derived  from  the  axioms  in  Table  2 
by  using  the  proof  rules  in  Table  3.  For  convenience,  in  the  sequel,  we  write  A  h 
X  =  y  to  assert  that  A  h  X  =  Y  is  derivable.  We  also  write  I-  E  =  F  in  place  of 
true  I -  E  =  F. 


fake  I -X  =  Y 


true  b  X  =  X 


true  X  =  X  +  6  true  I-  X  »  X  +  X 

true  X  +  Y  =  Y  +  X  true  H  X  +  (Y  +  Z)  =  (X  +  Y)  +  Z 

true  h  X  =  (0)X  true  h  (e)(e')$  =  (e  + 1')6 

true  h  (e)(X  +  Y)  =  ( e)X  +  <e)V  true  I-  «(<);'.  X  m  a(t)l'.  X  +  (max(0,  t'))6 

e'  <  e  h  «(t)*  .  X  =  (maz(0,  e'))i 

e<,<e’h  «(<);'.  x  =  «(<);  x  +  «(<}:'.  x 

true  h  a(t)* .  X  =  a(s)* .  X  { s/t]  a  is  free  for  t  in  X 

true  h  (e)(«(t)yl.  X)  =  a'(t)/+e<  X{t  -  e/t }  t  f?  /v(e) 

Let  X*  £„,«<(!,)?  ;.X.  +  (e)fi 

and 

y  =  Ej€,^);j.FJ  +  (/)< 

be  normal  forms,  then 

true  h  X  |  y  =  £<€,  (*  W*>  I  n  »  Y) 

+Y.*Jf*Ar'i)Xn(,'i'*)Vi  »X|yj{r'/si}) 
+E.€^6,ta..^  (Xiim/U)  I  YiimM) 

+(m»n(e,  f))6 

where  for  any  i  €  I,  j  €  /,  r<,  r'  and  r;j  are  fresh  time  variables 


Table  2.  Axioms 


I 
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1 

AbX  =  Y  AbY  =  Z 

Ab  X  =  Z 

2 

Ab  X  =  Y  Bb  X  =  Y 

AvBb X =Y 

3 

BbX  =  Y 

Ab  X  =  Y 

A 

Ab  X  =  Y 

AAe  =  fb(e)X  =  (f)Y 

5 

AAe<t<e'bX  =  Y 

AAe  =  fAe'  =  f'  b  a(t)l'.  X  =  Y 

t  ft  fv(i4) 

6 

Ab  X  -Y  AbX'  =  Y' 

Ab  X  +  X'  =  Y  +  Y' 

7 

AbX  =  Y  Bb  X  =  Z 

AvBbX  +  Y  +  Z  =  Y  +  Z 

Table  3.  Proof  Rules 


Lemma  3.2 


(1)  //  A  b  X  =  Y  and  t  $  fv(A),  then  A  A  (e  <  t  <  e')  b  a(t)*'.  X  =  a(t)*'.  Y . 

(2)  //  A  b  X  =  Y  and  t  $  fv(A),  then  AAc  =  fAe'  =  f'b  a(f)*'.  X  =  a  (I)/'.  7. 


Remark  Rules  (1)  and  (2)  of  Lemma  3.2  are  equipotent  with  the  proof  rule  5. 
In  fact  they  were  the  version  which  I  first  proposed.  Thanks  to  Faron  Moller  for 
suggesting  the  present  proof  rule  5. 

Now  we  consider  a  simple  example  and  show  how  the  proof  system  works.  In 
Section  5,  we  will  consider  a  more  interesting  example  and  show  how  the  proof  sys¬ 
tem  also  works  for  recursively  defined  processes. 

Example  Let  E  =  6(s)o_^2-*^.  6,  F  =  6(s)o'“ 2  6  and  G  =  6(s)q  .  6,  we  show  that 


h  a(t) }°.  (E  +  F  +  G)  =  o(f)i°.  (F  +  G ) 


is  derivable. 


_ 'r8  =  6 

t  -  (2-Q  =  2t  -  2 1-  t(s)o~(2~0-  6  = 


f  <  2  —  (f  —  (2— <)  =  2*  -  2) 


and 


_ h6  =  6 

t  -  (2-<)  =  t  h  6(s)^-(2~,).  6  =  6(s)&  ■  6 
t>2h*(s),0-(3-,).6  =  b(s)‘.S 


t>  2-*(t-  (2 -t)  =  <) 


By  rule  7 


and 


t<2Vt>2l-E+F  +  G  =  F+G 


t<2Vt>2\-  E+F  +  G=F  +  G 
l<t<lOt-E  +  F  +  G  =  F  +  G 


1  <  <  <  10  — *  (t  <2Vt  >2) 


h  a(t){°.  (£  +  F  +  G)  =  a(t){u.  (F  +  G) 


4  Soundness  and  Completeness 

In  this  section,  we  show  that  the  proof  system  is  sound,  i.e.  whenever  we  have  a 
derivation  of  the  form  A  H  E  =  F,  then  formula  A  is  a  condition  for  E  to  be 
bisimilar  to  F.  The  soundness  is  independent  of  the  choice  of  time  domain.  We  also 
show  that  the  proof  system  is  complete  for  processes  over  dense  time  domains,  but 
only  complete  for  a  sublanguage  over  discrete  time  domains. 


4.1  Soundness 

The  soundness  of  the  proof  system  is  shown  by  the  following  proposition. 

Proposition  4.1  (Soundness)  If  Ah  E  =  F,  then  A  \=  E  ~  F. 

Note  that  the  side  condition  of  rule  5  is  important,  as  otherwise  the  rule  is  invalid. 
As  an  example,  let  the  formula  A  be  1  <  t  <  5,  the  processes  X  and  Y  be  6(s)J0-‘.  nil 
and  6(«)q.  nil,  respectively.  Clearly  we  have  AA5<t<I0f=X~Y',  but  A  £ 
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4.2  Completeness  in  Dense  Time  Domains 

In  this  section,  we  assume  time  to  be  dense.  For  example,  we  can  assume  the  time 
domain  is  ($-°U{oo},  <).  We  first  show  that  for  any  processes  E  and  F,  the  weakest 
condition  for  E  to  be  bisimilar  to  F  can  be  written  in  a  disjunctive  normal  form. 

Lemma  4.2  For  any  processes  E  and  F  which  contain  at  most  free  time  variables 
<  i ,  WC(E,  F)  can  be  written  in  a  disjunctive  normal  form 

\/4<*l  </$  A”-Ae*(<„  <<„  <rn(h . tn-i) 

<6/ 

for  some  finite  I,  where  time  expressions  e'k(ti, ... ,  t*_i)  and  fl(ti, . . (k  — 
1  ,■  ■  ■  ,n)  contain  at  most  variables  fj, . . . 

Remark  For  discrete  time  domains,  the  lemma  in  general  does  not  hold.  For 
example,  the  formula  3 1  =  5s  cannot  be  written  in  the  required  form.  In  the  next 
section,  we  will  show  how  to  restrict  occurrences  of  time  variables  to  retain  the 
lemma  for  discrete  time  domains. 

Proposition  4.3  For  any  processes  E  and  F,  WC(E,F)  h  E  =  F. 

Corollary  4.4  A  E  ~  F  implies  At  E  =  F. 

Corollary  4.5  (Completeness)  For  any  processes  E  and  F,  E  ~  F  implies  t  E  — 
F. 


4.3  Completeness  in  Discrete  Time  Domains 

In  this  section,  we  assume  time  to  be  discrete,  e.g.  the  time  domain  is  (NU  {oo},  <), 
where  N  is  the  set  of  natural  numbers. 

As  shown  in  the  last  section,  Lemma  4.2  in  general  does  not  hold  for  discrete 
time  domains.  It  is  not  known  whether  the  proof  system  is  complete  for  processes 
over  discrete  time  domain  (N  U  (oo),  <).  Consider  processes  E  =  a(<)|  6(s)}|>  (3s)6 
and  F  =  a(t)%  (5t)S.  Clearly  we  have  ^  E  ~  F,  but  I-  E  =  F  is  not  derivable 

by  using  the  above  proposed  technique.  However,  if  we  restrict  the  occurrences  of 
time  variables,  we  can  still  retain  the  lemma. 

Notation  Let  e  be  a  time  expression  and  5  be  a  set  of  time  expressions,  e  +  S 
represents  the  set  {e  +  / 1  /  €  5}  of  time  expressions. 

Definition  4.6  For  any  process  E,  the  set  of  time  expressions  Expi(E)  of  E  is 
inductively  defined  as  follows: 

Expt{6)  =  {0}  Expi(a{i)‘e'.  E)  =  {e,e'} 

Expi(nil)  =  {0}  Expi(E  +  F)  =  Expi(E)  U  Expi(F) 

Expi\(e)E)  =e  +  Expi(E) 

Definition  4.7  For  any  process  E,  the  sets  of  time  expressions  Exp2(E)  and  Exps(E) 
of  E  are  defined  as  follows: 
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Exp2(6)  =  0 
Exp3(6)  -  0 
Expj(nil)  =  0 
Exp3(nil)  =  0 
^p2((e)^)  =  Expi(E) 


Expa((e)E)  =  £*pi((c)E)  U  Expi(E) 
£zpa(a(t)j'.  £)  =  Ezpa(E) 

Expi(a(t)' .  E)  =  £*Pl(a(0:'.  £)  U  Ezp3(E) 
Expi(E  +  f )  =  Expi(E)  U  Exp2^F) 
Exps(E  +  F)  =  Exp3(E)  U  Exp3(F) 


e< 

Proposition  4.8  For  any  normal  form  E,  where  E  =  ]T,€/  a,(t,)e‘.  £,■  +  (e)6,  we 
have 

Exps(E)  =  y  Exps(Ei)  u{e  +  0,  e<,  e|  1 1  €  /> 

<€/ 


For  any  set  of  time  expressions  5,  let  2?astc(.;T)  be  the  set  of  time  expressions 
resulted  by  eliminating  max  and  min  in  S  by  the  following  procedure: 

1  Let  Basic(S)  be  S. 

2  If  max(e,f )  €  Basic(S)  or  min(e,f)  G  Basic(S),  then  replace  max(e,f)  or 

m*n(e,/)  by  e  and  /  in  Basic(S). 

3  If  e  o  max(f,f)  £  Basic(S),  or  max(f,f )  oe£  J5as«c(5),  replace  them  by  e  o  / 

and  e  o  /',  where  o  is  +  or  — . 

4  If  e  o  mm(/,/')  6  Basic(S),  or  min(f,f)  o  e  £  Basic(S),  replace  them  by  e  o  / 

and  e  o  /',  where  o  is  +  or  — . 

5  Repeat  steps  2  to  4  until  there  is  no  occurrence  of  min  and  mar  in  Basic(S). 

For  any  set  of  time  expressions  S,  we  say  S  only  contains  time  expressions  which 
have  single  occurrences  of  the  same  time  variables  if  for  any  time  expression  e  of 
Basic(S),  a  time  variable  t  occurs  in  e  implies  that  e  satisfies  one  of  the  following 
conditions: 


(1)  e  =  /  of  or  e  =  t  of  for  some  time  expression  /,  where  t  £  fv(/),  and  o  is  +,  — , 
or  — . 

(2)  e  =  ej  o  e2  for  some  time  expressions  ej  and  e2  such  that  t  g  fv(e2)  and  ej 
satisfies  one  of  the  two  conditions,  or  t  fv(ei)  and  e2  satisfies  one  of  the  two 
conditions,  where  o  is  +  or  — . 

Let  £'  be  a  set  of  all  processes  such  that  for  any  E  £  £',  Basic(Exp3(E))  only 
contains  time  expressions  which  have  single  occurrences  of  the  same  time  variables. 
The  sublanguage  of  £'  is  still  very  rich.  In  fact,  we  have  the  following  property: 

Proposition  4.9  For  any  processes  E  and  F,  if  E,  F  £  £'  ,  then  E  +  F  is  still  in 
£'.  Also  i/{e,e'}  only  contains  time  expressions  which  only  have  a  single  occurrence 
of  the  same  time  variables  and  E  £  £',  then  a(f)J  .  E  £  £' . 

Now  we  can  show  that  for  the  processes  of  £',  Lemma  4.2  cf  the  last  section  still 
holds. 


Lemma  4.10  For  any  processes  E  and  F,  where  E  £  £'  and  F  €  £',  WC(E,F) 
can  be  written  in  the  disjunctive  normal  form 

\Je[<t1<riA  -*e\l(ti,---,tn-i)<tn<rn(t1,...,tn-1) 

»€/ 

for  some  n  and  I,  where  I  is  finite,  and  e\(ti, . . .  ,ft_i),  /j(ti , . . .  ,<*_i)  (k  = 
1,  •  •  -  ,nj  contain  at  most  variables  t j, . . . ,  f»_i. 


Proposition  4.11  For  any  processes  E  and  F  of  £' ,  WC{E,  F)h  E  —  F. 


Corollary  4.12  (Completeness)  For  any  processes  E  and  F  of  £',  if  E  ~  F,  then 
I rE=F 

5  Proofs  of  Recursively  Defined  Processes 

Up  to  now,  we  have  only  considered  finite  processes.  However  in  [Che92a]  we  also 
allow  recursively  defined  processes.  For  example,  ftX.E  represents  an  infinite  process 
defined  by  an  equation  X  =  E.  The  operational  rules  for  process  pX.E  are: 

E{ttX.E/X}-^uP  E{fiX.E/X}-^uP 

tiX.E — *UP  and  iiX.E-Z+uP 

We  say  a  process  E  is  weakly  guarded  if  every  process  variable  of  E  is  weakly  guarded 
in  E,  where  X  is  weakly  guarded  in  E  if  every  occurrence  of  X  is  in  some  subterm  of 
form  a(<)®'.  F  of  E.  For  example,  the  process  a(t)g°.  X  +  &(s)l°.  nil  is  weakly  guarded. 
However  the  process  a(i)J°.  X  +  X  is  not  weakly  guarded  as  the  second  occurrence 
of  X  is  not  guarded  in  it. 

In  this  section,  we  consider  proofs  of  recursively  defined  processes.  We  show  by 
an  example  how  the  proof  system  also  works  for  recursively  defined  processes.  To  do 
so,  the  proof  system  needs  to  be  augmented  with  an  axiom 

true  b  fiX.E  =  E{fiX.E/X} 

and  some  form  of  induction.  We  choose  a  very  simple  form  of  induction,  namely 
Unique  Fixpoint  Induction: 

true  b  P  =  E{P/X } 
true  b  P  =  pX.E 

The  soundness  of  the  axiom  can  be  proved  by  showing  an  appropriate  T -bisimulation. 
For  a  weakly  guarded  process  E,  the  soundness  of  the  above  inductive  rule  follows 
from  the  property  of  unique  solution  of  weakly  guarded  equations  up  to  strong  bisim¬ 
ulation  [Che92b].  However  the  inductive  rule,  in  general,  is  not  valid  for  a  process 
E  which  is  not  weakly  guarded.  For  example,  if  E  —  X,  then  for  any  process  P  we 
have  P  ~  X{P/X}  and  clearly  a(t)l°.  nil  /  pX.X.  Also  for  every  agent  P,  we  have 
P  +  a(t)l°.  6  ~  (o(t)J°.  6  +  X){(P  +  a(f)o°.  6)/ X] ,  but  P  +  a{t)l0°.  6  +  pX.a(t)£°.  6  +  X 
when  we  have  P  =  b(s)&°.  6. 

Now  we  consider  processes 

P  s  pX.a(t) }°.  (6(s)^(jl,).  X  +  6(s)g‘"3.  X  +  b(s)*,  X) 

and 

Q  =  fiX.a(t)\°.  (6(s)3‘-2.  X  +  6(s)q.  X) 
and  show  how  to  derive 


in  the  extended  proof  system. 


b  P  =  Q 
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Since  Q  is  recursively  defined  and  weakly  guarded,  by  the  above  induction  rule 
we  only  need  to  show  that 

hP  =  a{t)"ml'-\P  +  b{,%P) 

However  we  have 

n  P  =  «(*)}°  (K*)o‘<2'°-  P  +  W*2-  P + K«)o  P) 

By  rule  1  we  only  need  to  show 

1-  (4(s)‘-(J'°.  P  +  P  +  *(*&  P)  =  «(*)i°  W')o*“2  P  +  4«  P) 

Clearly 

1-  P  =  P 

h6(s)«-J.P  =  4(*)2‘-2P 

and 

l-6(s&P  =  6(»&P 

By  rule  5,  we  have 

t>2hb(s),0-V~,).P  =  b(*)lP 

and 

t  <  2  h  6(s)o"(2~‘).  P  =  P 

By  rule  7,  we  have 

t  <  2  V  t  >  2  h  b(s) o-(2_0.  P  +  6(s)?‘~2  P  +  6(«)»  P  =  6(s)o‘~2  P  +  K*)o-  P 
Since  1  <  t  <  10  — ►  f  <  2  V  f  >  2,  by  the  rule  3  we  have 
1  <  t  <  10  h  6(s)‘"(2l,).  P  +  P  +  6(s)q.  P  =  4(s)o<-2.  P  +  t(s)*.  P 

By  rule  5,  we  have  the  result 

h  a(t)  1°.  (6(s)*'<2-‘).  P  +  4(s)21-2  P  +  6(«)i-  P)  =  «(<)S°-  P  +  fc(«)o  P) 


Remark  Even  untimed  CCS  is  Turing-powerful  [Mil89]  and  therefore  no  effective 
complete  proof  system  can  exist.  By  adding  sufficiently  powerful  inductive  methods 
for  handing  recursively  defined  processes,  we  would  have  a  complete  (and  therefore 
ineffective)  proof  system  for  reasoning  about  real-timed  processes. 


6  Conclusion 


In  this  paper,  we  propose  a  relativised  compositional  proof  system  for  real-time 
processes.  The  proof  system  is  sound  and  is  independent  of  the  choice  of  time  domain, 
allowing  time  to  be  discrete  or  dense.  We  show  that  the  proof  system  is  complete  for 
finite  processes  over  dense  time  domain,  but  only  complete  for  a  sublanguage  over 
discrete  time  domain.  We  discuss  how  to  restrict  the  definition  of  time  expressions  to 
get  the  sublanguage.  Moreover,  the  proof  system  has  no  infinite  rules  and  therefore 
is  realistic  and  hopefully  useful. 

In  [ACM92],  we  present  a  timed  semantics  for  Milner’s  CCS,  which  in  fact  is  a 
partial  order  or  true  concurrency  semantics.  As  a  result,  we  develop  a  partial  order 
or  true  concurrency  semantics  for  CCS  baaed  on  an  interleaving  approach.  The 
proof  system  discussed  here  can  also  be  used  for  a  partial  order  or  true  concurrency 
semantics  of  CCS. 

Although  the  proof  system  is  presented  for  Timed  CCS,  the  approach  can  also  be 
used  for  some  other  work.  As  an  example,  the  approach  can  be  used  for  the  restricted 
language  of  Baeten  and  Bergstra’s  ACPpI  discussed  in  [Klu91]  (restricting  to  those 
prefixed  integrations  and  not  allowing  general  integration).  As  discussed  in  [Che92b], 
the  restricted  language  of  ACPpI  just  corresponds  to  Timed  CCS. 

Recently,  Hennessy  [Hen91]  has  independently  developed  a  proof  system  for  rea¬ 
soning  about  value-passing  processes.  The  main  idea  of  his  proof  system  is  to  sepa¬ 
rate  reasoning  about  the  data  from  reasoning  about  process  behaviour.  In  his  proof 
system,  we  derive  statements  of  the  form 

Ass  HP<Q 

where  Ass  is  a  list  of  assumptions  about  data  expressions.  This  statement  means 
that  whenever  these  assumptions  are  true  then  the  process  P  is  semantically  less 
than  or  equal  to  the  process  Q. 

There  is  a  simple  proof  system  pointed  out  by  Kim  Larsen  which  consists  of  a 
single  rule 

WC(E,  F) 

E  =  F 

The  proof  system  is  sound  and  complete  for  finite  processes.  The  soundness  and 
completeness  is  independent  of  the  choice  of  the  time  domain. 

Acknowledgement:  I  would  like  to  thank  S.  Anderson,  K.  Larsen,  F.  Moller,  A. 
Munro,  J.  Power  and  P.  Sewell  for  many  helpful  discussions  and  constructive  sug¬ 
gestions.  I  would  also  like  to  thank  anonymous  referees  for  their  helpful  comments. 

References 

[ACM92]  S.  Anderson,  L.  Chen  it  F.  Moller,  Observing  Causality  in  Real-Timed  Calculi, 
Preliminary  Draft,  LFCS,  University  of  Edinburgh,  1992 
[BB91]  J.C.M.  Baeten  it  J.A.  Bergstra,  Real  Time  Process  Algebra,  Formal  Aspects  of 
Computing,  Vol  3,  No  2,  ppl42-188,  1991 

[BK85]  J.A.  Bergstra  it  J.W.  Klop,  Algebra  of  Communicating  Processes  u>ith  Abstraction, 
Theoretical  Computer  Science  37,  pp  77-12,  1985 


[Che91a]  L.  Chen,  Specification  and  Verification  of  Real-Time  System*,  Note,  1991 
[Che91b]  L.  Chen,  Decidability  and  Completeness  in  Real-  Time  Processes,  Technical  Re¬ 
port  ECS-LFCS-91-185,  Edinburgh  University,  1991 
[Che92a]  L.  Chen,  An  Interleaving  Model  for  Real-Time  Systems,  Proc.  of  Logical  Foun¬ 
dations  of  Computer  Science,  Lecture  Notes  in  Computer  Science  620,  pp  81-92,  1992 
[Che92b]  L.  Chen,  Timed  Processes:  Models,  Axioms  and  Decidability,  Ph.D  Thesis,  Uni¬ 
versity  of  Edinburgh,  1992 

[Che93]  L.  Chen,  A  Model  for  Real-Time  Process  Algebras,  Proc.  MFCS’93,  Lecture  Notes 
in  Computer  Science,  1993 

[CAM90]  L.  Chen,  S.  Anderson  k  F.  Moller,  A  Timed  Calculus  of  Communicating  System, 
Technical  Report  ECS-LFCS-90-127,  Univemty  of  Edinburgh,  1990 
[DDM89]  P.  Degano,  R.  De  Nicola  k  U.  Montanan,  Partial  Orderings  Descriptions  and 
Observations  of  Nondeterministics  Concurrent  Processes,  Lecture  Notes  in  Computer 
Science  354,  pp  438-466,  1989 

[Hen88]  M.  Hennessy,  Axiomatising  Finite  Concurrent  Processes,  SIAM  J.  Comput.  Vol 
17,  No  5,  pp  997-1017,  1988 

[Hen91]  M.  Hennessy,  A  Proof  System  for  Communicating  Processes  with  Value-Passing, 
Formal  Aspects  of  Computing,  Vol.  3,  No.  4,  pp  346-366,  1991 
[Hoa85]  C.A.R.  Hoare,  Communicating  Sequential  Processes,  Prentice-Hall  interna¬ 
tional,  1985 

[Klu9l]  A.S.  Klusener,  Completeness  in  Real  Time  Process  Algebra,  Proceedings  of  CON- 
CUR’91,  Lecture  Notes  in  Computer  Science  527,  pp  96-110,  1991 
[Mil80]  R.  Milner,  A  Calculus  of  Communicating  systems,  Lecture  Notes  in  Computer 
Science  92,  Springer-verlag,  1980 

[Mil89]  R.  Milner,  Communication  and  Concurrency,  Prentice-Hall  international, 
1989 

[MT90]  F.  Moller  k  C.  Tofts,  A  Temporal  Calculus  of  Communicating  System,  Lecture 
Notes  in  Computer  Science  458,  pp  401-415,  1990 
[RR88]  R.  Reed  k  A.  W.  Roscoe,  A  Timed  Model  for  Communicating  Sequential  Processes, 
Theoretical  Computer  Science,  58,  pp  249-261,  1988 
[Wan91]  Y.  Wang,  CCS  +  Time  =  an  Interleaving  Model  for  Real  Time  Systems,  Proc.  of 
ICALP’91,  Lecture  Notes  in  Computer  Science,  1991 


A  Predicative  Semantics  for  the  Refinement  of 
Real-Time  Systems 


David  Scholefield,  Hussein  Zedan,  He  Jifengf 

Formal  Systems  Research  Group 
Department  of  Computer  Science 
University  of  York,  Heslington,  York  (UK) 

(Programming  Research  Group 
Oxford  University,  Keble  Road,  Oxford  (UK) 

Abstract.  A  formal  framework  for  a  calculus  of  real-time  systems  is  pre¬ 
sented.  Specifications  and  program  statements  are  combined  into  a  single 
language  called  TAM  (the  Temporal  Agent  Model),  that  allows  the  user  to 
express  both  functional  and  timing  properties.  A  specification-oriented  se¬ 
mantics  for  TAM  is  given,  along  with  the  definition  of  a  refinement  relation 
and  a  calculus  which  is  sound  with  respect  to  that  relation.  A  simple  real-time 
program  is  also  developed  using  the  calculus. 


1  Introduction 

In  most  formal  development,  methods  there  are  at  least  two  languages  involved, 
one  for  the  specification  task,  and  one  for  the  design  task  (often  the  translation  to 
implementation  is  ignored,  or  considered  to  be  trivial).  However,  an  inherent  problem 
with  such  a  ‘multi  language’  approach  is  the  lack  of  method  by  which  suit  able  designs 
are  arrived  at.  A  combination  of  experience  and  guess-work  must  be  used  in  order  to 
formulate  a  design,  and  then  verification  -  a  time  consuming  task  -  is  undertaken.  If 
the  verification  fails  then  the  design  task  is  undertaken  again.  This  cycle  is  undergone 
repeatedly  until  verification  is  achieved. 

To  overcome  this  problem  we  have  developed  the  ‘Temporal  Agent  Model’  (TAM) 
which  is  a  theory  centered  around  a  wide-speetrum  language  in  which  both  speci¬ 
fications  and  executable  programs  can  be  intermixed.  A  real-time  functional  speci¬ 
fication  in  TAM  is  transformed  step-by-step  into  a  mixed  program  containing  both 
specification  fragments  and  executable  code.  Such  transformations  continue  until 
a  completely  executable  program  is  produced  which  is  guaranteed  correct  with  re¬ 
spect  to  the  original  specification.  The  program  may  then  be  analysed  by  run-time 
schedulability  and  allocation  tools  in  the  usual  manner,  and  executed. 

The  paper  introduces  extensions  to  first-order  predicate  logic  to  cover  time,  a  wide 
spectrum  language  with  a  specificational  semantics,  a  refinement  calculus,  and  an 
example  of  program  development. 

2  The  TAM  Philosophy 

TAM  aims  to  be  a  realistic  software  development-  method  for  real-time  systems.  It 
has  striven  to  support  a  computational  model  which  is  amenable  both  to  analysis  by 
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run-time  execution  environment  software,  and  to  efficient  implementation.  In  doing 
so,  TAM  has  not  shared  any  of  the  simplifying  assumptions  that  other  techniques 
promote,  e.g.  the  maximum  parallelism  hypothesis  (there  exist  an  infinite  number 
of  resources  available  to  the  program)  [7],  and  the  instantaneous  communication 
assumption  promoted  by  many  real-time  process  algebras  [4]  (8). 

The  trade-off  is  that  TAM  can  often  appear  complex,  both  in  the  syntax  it 
provides  for  specifications,  and  in  the  discharging  of  proof  obligations  during  the 
verification  process.  Thus  the  learning  curve  for  TAM  is  very  steep,  but  we  believe 
that  the  eventual  pay-off  is  worth  the  extra  effort:  the  TAM  language  not  only 
provides  a  method  for  verifying  real-time  and  functional  correctness  of  programs, 
but  also  provides  a  language  of  great  flexibility  for  discussing  general  issues  in  real¬ 
time  system  design.  This  latter  point  has  been  demonstrated  in  publications  by 
researchers  in  fields  which  are  not  mainstream  real-time  (for  example  see  [6]). 

The  TAM  theory  has  also  been  designed  to  support  a  specific  development 
method.  Many  so-called  formal  methods  only  consist  of  a  notation,  and  not  a  method 
which  enables  the  user  to  carry  out  a  specific  list  of  steps  in  order  to  arrive  at  a  cor¬ 
rect  implementation.  The  TAM  method  can  be  summarised  as  follows: 


-  Step  1  -  the  user  describes  timing  and  functional  requirements  in  a  specifica¬ 
tion  language  based  upon  simple  extensions  to  first-order  predicate  logic.  The 
specification  also  defines  the  interface  between  the  system  and  the  environment. 

-  Step  2  -  the  TAM  theory  provides  a  set  of  laws  which  enables  the  user  to  grad¬ 
ually  replace  parts  of  the  specification  with  executable  code  which  is  guaranteed 
to  be  correct  with  respect,  to  the  specification.  This  process  is  known  as  step-wise 
refinement. 

-  Step  3  -  eventually  only  executable  code  remains,  and  this  is  analysed  by  schedu- 
lability  and  allocation  tools,  compiled,  and  then  executed. 

The  executable  language  provides  real-time  syntactic  constructs  such  as  deadlines 
and  timeouts,  as  well  as  more  conventional  constructs  such  as  assignment,  loop®, 
concurrent  composition,  communication  and  conditionals.  There  is  no  provision  of 
any  syntax  to  describe  the  behaviour  of  the  resources  used  when  the  program  is 
executed  e.g.  there  is  no  syntax  to  describe  which  processor  each  concurrent  agent 
should  execute  on.  This  is  because  we  believe  that,  the  run-time  execution  support 
tools  such  as  schedulers  and  task  allocators,  and  not.  the  programmer,  should  provide 
information  such  as  the  placement  of  agents:  programs  should  be  independent  of  such 
concerns.  If  this  were  not  the  case  then  the  v  erification  process  would  have  to  deal 
with  much  more  complex  issues  such  as  scheduling  correctness  and  task  placement, 
and  this  would  prove  infeasible  in  any  realistic  computational  model. 

The  TAM  software  development  method  therefore  results  in  a  number  of  concur¬ 
rent  agents,  which  are  descriptions  of  tasks,  and  which  include  information  such  as 
deadlines,  delays,  precedence  constraints  etc.  \V’e  then  expect  the  run-time  execution 
environment  tools  to  place  those  agents,  and  decide  upon  their  release  times  (within 
the  bounds  defined  by  the  timing  information  inherent  in  the  syntactic  description 
of  the  agents)  so  as  to  make  the  schedulabilitv  test  succeed.  This  approach  makes 
the  verification  manageable,  but  has  the  drawback  that  the  scheduler  may  not  be 
able  to  find  a  schedule  for  the  given  set  of  agents,  and  the  development  process 
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may  be  forced  to  backtrack  to  ensure  that  a  different  set  of  agents  is  produced.  We 
are  currently  investigating  ways  in  which  tools  such  as  the  scheduler  can  produce 
guidance  to  the  refinement  process  at  a  very  early  stage  so  as  to  avoid  backtracking. 

The  TAM  theory  also  aims  to  provide  a  language  which  supports  the  ways  in 
which  software  engineers  already  produce  software,  rather  than  forcing  them  to 
change  development  practices  to  suit  a  particular  formal  approach.  For  this  reason 
we  provide  a  wide-spectrum  language  which  has  a  syntax  that  supports  both  con¬ 
ventional  real-time  programming  constructs  (a  kind  of  Pascal  with  deadlines,  delays, 
timeouts,  and  timestamps),  and  a  specification  construct  in  which  requirements  may 
be  written.  The  specification  construct  forms  a  normal  part  of  the  language  and  may 
be  freely  intermixed  with  other  code.  A  program  may  then  contain  assertions  on  what 
the  programmer  requires,  as  well  as  algorithms  which  describe  how  requirements  are 
going  to  be  met.  This  language  directly  supports  the  step-wise  refinement  process 
as  well  as  allowing  for  a  less  strict  method  in  which  some  parts  of  systems  can  be 
specified  and  refined,  and  some  parts  can  be  written  directly  in  code. 

The  TAM  theory  views  a  real-time  sy  stem  as  a  set  of  concurrently  executing 
agents,  each  with  deadline,  release  offsets,  and  period  or  release  event.  Agents  com¬ 
municate  via  shared  variables  called  shunts.  Shunts  are  time-stamped  with  the  time 
of  the  most  recent  write  (the  programmer  does  not  have  to  worry  about  writing  the 
time-stamp  as  it  is  assumed  that  the  run-time  execution  environment  will  perform 
this  task).  Shunts  may  only  be  written  to  by  a  single  agent  throughout  the  lifetime 
of  the  system  (although  they  may  be  read  by  many).  Shunts  are  assumed  to  be  non- 
blocking  on  reading  and  writing,  and  therefore  an  agent  does  not  have  to  wait  for 
a  partner  in  order  to  read  or  write  a  shunt.  Agents  also  have  local  protected  state. 
The  values  found  in  shunts  and  variables  at  the  start  of  the  system  execution  are 
nondeterministic.  AH  agents  are  assumed  to  be  terminating. 

The  use  of  timestamps  in  the  shunts  enables  the  user  to  reason  about  the  freshness 
of  data,  and  this,  we  believe,  is  one  of  the  most  important  issues  in  real-time  software 
design.  Timestamps  also  prov  ide  the  basic  building  block  of  real-time  requirements 
specifications:  we  discuss  this  in  detail  in  the  next  section. 


3  The  TAM  Real-Time  Logic 

3.1  Overview 

The  TAM  real-time  logic  is  used  both  as  a  language  in  which  to  express  requirements 
specifications,  and  as  a  formalism  in  which  to  define  the  semantics  of  the  wide- 
spectrum  language  used  in  the  TAM  theory.  It  is  constructed  from  conservative 
extensions  to  first-order  predicate  logic,  and  this  enables  the  developer  to  use  the 
standard  first-order  proof  system.  The  logic  formalises  the  notion  of  a  timed  variable 
which  is  the  notation  used  to  represent  real-time  program  variables  and  shunts.  Time 
is  represented  by  positive  integers,  and  a  timing  function  is  used  to  represent  the 
values  found  in  variables  and  shunts  at  a  specific  time.  Specifications  are  therefore 
constraints  on  the  relationship  between  time-stamps  and  values  found  in  shunts 
during  the  lifetime  of  the  system.  Additional  free  variables  are  also  provided  which 
represent  the  release  and  termination  time  of  the  system;  these  variables  may  be 
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predicated  over  in  the  usual  way  and  therefore  provide  a  mechanism  for  specifying 
duration. 

The  timing  function  is  denoted  and  is  defined  over  pairs  containing  the  name 
of  a  variable  or  shunt,  and  a  time:  thus  the  term  ‘<§l(A’,  3)’  represents  the  value  found 
in  the  variable  (shunt)  A'  at  time=3.  We  usually  write  the  term  with  as  an  infix 
function.  The  projection  function  ‘./s’  and  \t>’  are  also  used  to  refer  to  the  time- 
stamp  and  and  value  found  in  a  shunt  respectively,  so  vve  can  write  s.v@t  (the  value 
found  in  shunt  s  at  time=t),  and  s./s®/  (the  timestamp  found  in  shunt  s  at  time=t). 
The  two  free  variables  ta  and  tu  are  used  to  denote  the  release  time  of  the  system, 
and  termination  time  of  the  system  respectively. 

Example 

Consider  a  simple  real-time  system  which  within  10  time  units  reads  the  integer 
value  from  a  shunt  called  in,  calculates  the  square  of  the  number,  and  outputs  the 
value  to  a  shunt  called  out.  It  is  assumed  that  the  behaviour  of  the  shunt  in  is 
constrained  by  the  environment,  but  that  the  shunt  out  is  entirely  under  the  control 
of  the  system  we  are  specifying.  The  liveness  and  timeliness  property  for  this  system 
is  captured  in  the  following  formula: 

3<r  :  JV*(<r  €  [/<,,/„.]  A  out.VStu  =  (in.v&< t)~  A  tw  <  /*  +  10) 

Of  course  it  is  also  important  that  no  other  value  is  written  to  the  shunt  out 
during  the  execution  of  the  system,  and  so  we  provide  a  safety  requirement  that 
asserts  that  during  the  execution  of  the  system,  there  is  only  one  write  to  the  shunt 
out  (we  do  this  by  counting  the  number  of  time-stamps  which  appear  in  out  that 
are  different  to  the  time-stamp  found  at  time=Zu,): 

#{n|3<r  :  ,V(<r  €  [/a,/w]  Aoul./sStt  =  »»)  An^  o«/./$S/„)  =  1 

The  specification  formed  from  the  conjunction  of  these  two  formulae  is  much 
more  complex  than  specifications  commonly  written  for  transformational  systems. 
This  is  because  we  have  to  concern  ourselves  with  the  values  found  in  the  shunt  out 
during  the  lifetime  of  the  system  rather  than  just  at  the  start  and  end  of  execution; 
of  course  this  is  true  of  any  specification  language  for  reactive  systems. 


3.2  The  TAM  Logic  Language 

The  real-time  TAM  logic  is  a  multi-sorted,  first-order,  predicate  logic,  and  is  made 
up  of  the  following  symbols: 

-  The  truth  symbols  true  and  false 

-  A  set  of  variable  symbols  .r.  y,  ... 

-  The  duration  symbols  t„  and  tu 

-  A  set  of  computation  variables  Namev 

-  A  set  of  computation  variable  variables  a.  b,c _ 

-  A  set  of  shunt  names  Names 

-  A  set  of  shunt,  name  variables  s,  s', ... 

-  A  set  of  constant  symbols  C 
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-  A  set  of  function  symbols  +,  — ,  x, .. 

-  The  timing  function  symbol  and  the  projection  function  symbols  and 
‘.v4S’ 

-  A  set  of  predicate  symbols  <,>,=.  P.  Q. ... 

-  The  propositional  connectives  A  and  -> 

-  The  universal  quantifier  V,  and  existential  quantifier  3 

-  Right  and  left  parenthesis  (,  ) 

There  are  three  sorts  of  terms,  Af-terms,  Name,, -terms  and  Name,- terms.  These 
terms  are  constructed  as  follows: 

-  The  constant  symbols  in  C  are  terms  of  sort  A/- 

-  The  variable  symbols  are  terms  of  sort  M 

-  The  computation  variable  variables  form  terms  of  sort  Aramev 

-  The  shunt  variables  form  terms  of  the  sort  Name, 

-  The  symbols  in  Namev  are  terms  of  sort  A’ a  me,, 

-  The  symbols  in  Names  are  terms  of  sort  Name, 

-  If  /  is  a  function  of  arity=n  and  ti , ...  t„  are  terms  of  sort  jV  then  /(<i , t„)  is 
a  term  of  sort  A* 

-  If  x  is  a  term  of  sort  Namev  and  t  is  a  term  of  sort  A’,  then  &(x.t)  is  a  term  of 
sort  N 

-  If  x  is  a  term  of  sort.  Name,  and  t  is  a  term  of  sort  A’,  then  ,tsU(x,t)  is  a  term 
of  sort  N 

-  If  x  is  a  term  of  sort  Name,  and  t  is  a  term  of  sort  A',  then  .rS(r.  t)  is  a  term 
of  sort  N 

-  The  duration  symbols  la  and  are  terms  of  sort  A* 


Formulae  are  defined  as  follows: 

-  If  P  is  an  arity=n  predicate,  and  1\. ...  t„  are  terms  of  the  appropriate  sort,  then 
P{t\,  •  •,<«)  is  a  formula 

—  If  #  and  'P  are  formulae,  then  0A!/'  is  a  formula 

—  If  $  is  a  formula  then  ->$  is  a  formula 

-  If  x  is  a  variable  symbol  which  occurs  free  and  of  sort  Name,  in  <A.  then  Vx  : 
Shunt($)  is  a  formula  (similarly  for  exisls) 

—  If  x  is  a  variable  symbol  which  occurs  free  and  of  sort  Name,  in  <P.  then  Vx  : 
Var{$)  is  a  formula  (similarly  for  3) 

-  If  x  is  a  variable  symbol  which  occurs  free  and  of  sort-  .V  in  4>,  then  Vx  :  N'(<P) 
is  a  formula  (similarly  for  3) 


3.3  The  Meaning  of  Real-Time  TAM  Logic  Formulae 

We  define  three  sorts  in  our  domain  of  interest:  the  set  of  positive  integers  .V,  a  set 
of  text  strings  Stringss  and  a  set  of  strings  Stringsv-  Functions  and  predicates  are 
given  their  usual  interpretation,  and  the  terms  are  interpreted  as  follows: 


-  Each  element  in  the  set  C  is  assigned  an  element  in  .V 


-  Each  element  in  the  set  Names  is  assigned  a  unique  text  string  in  Stringsg 
which  corresponds  the  the  symbol  found  in  name  (e  g.  s  6  Name,  is  assigned 
the  string  ‘s’) 

-  Each  element  in  the  set  Namev  is  assigned  a  unique  text  string  in  Stringsy 

-  The  duration  symbols  are  assigned  values  from  A*. 

-  The  function  *<§’  is  assigned  a  value  from  the  function  space  [[StringssUStringSyX 

.V]  - .  v] 

-  The  functions  and  ‘.r'S1’  are  each  assigned  a  value  from  the  function  space 

[[Strings^  x  A*]  -<  A'] 

Given  an  interpretation  X  with  the  structure  defined  above,  then  we  define  satisfac¬ 
tion  (£=)  as  follows: 

X  |=  #  A iff  I  |=  $  and  I 

X  (=  iff  not  2  \=  $ 

Ij =P(t1....tn)  iff  l\P)(l[U\....l[tn)) 

X  (=  Vx  :  Shvr>t($)  iff  for  every  element  s  in  Stringss 
we  have  I  )=  $[s/;r] 

I  f=  Vi  :  1  rar(<P)  iff  for  every  element  e  in  Striiigsv 

we  have  I  f=  #[t'/x] 

1 Vc  :  A'”(<P)  iff  for  every  element  n  in  A'" 
we  have  I  |=  4>[n/x] 

I  (=  3c  :  T (<P)  iff  I  (=  ->V.r  :  T(->0) 

where  T  is  A’.  Shunt,  or  Var 


VVe  also  assume  the  usual  shorthand  notation  for  defining  disjunction,  implica¬ 
tion,  and  existential  quantification.  We  use  the  ‘§’  in  infix  form,  and  write  ,ts@(s,t) 
as  s.ts@t  and  similarly  for  In  addition  we  shall  use  the  notation  s@n  =  s@m 

as  a  shorthand  notation  for  s.c'&n  =  s.visni  A  s.ts&n  =  s.ts'Qm,  and  the  notation 
s@n  =  (x, y)  for  s.ts@n  =  ,r  A  s.vtsn  =  y.  We  also  assume  the  usual  notation  for 
indexed  (finite)  conjunction  and  disjunction. 

3.4  Axioms 

We  can  rely  on  the  fact  that  writing  to  a  shunt  will  cause  the  timestamp  in  the  shunt 
to  update  appropriately. 

(Freshness)  Vs  :  S/)un<(Vf  :  Afs.rSt  ^  s.viit  —  1  =>  s./sSf  =  /)) 


We  can  also  rely  on  the  termination  time  of  a  system  to  be  at ,  or  after,  the  release 
time. 

(Duration)  tu  >  ta 


4  The  TAM  Language 

The  TAM  language  contains  both  a  specification  statement  syntax,  and  a  syntax  for 
an  imperative  style  real-time  programming  language,  which  we  shall  refer  to  as  the 
concrete  syntax.  The  major  difference  between  the  specification  statement  and  the 
concrete  syntax  is  that  variables  and  shunts  are  referred  to  in  the  concrete  syntax 
without  reference  to  the  timing  function  -  the  semantics  are  responsible  for  the 
association  between  the  variables  and  shunts  at.  the  concrete  level  and  the  timed 
variables  and  shunts  in  the  underlying  logic.  The  syntax  can  be  defined  in  terms  of 
agents  by  the  following  table: 


Agent,  form 

Name 

w:4> 

Specification 

x  :=  e 

Assignment 

(*,  y)  —  S 

Input 

X  —  5 

Output 

A;  8 

Sequence 

jp/0i  — ^ 

Conditional 

A\B 

Concurrent 

[S&- 

Deadline 

A/s 

Restriction 

(*M 

Local 

.4  >’/  8 

Signal 

A 

Iteration 

Where  t u  is  a  set  of  shunt  and  variable  names.  0  is  a  real-time  TAM  logic  formula, 
e  is  some  term  on  computation  variables  which  evaluates  to  a  value  in  .V,  x  and 
y  are  terms  of  sort  Namev,  s  is  a  term  of  sort  Name,.  A  and  8  are  agents,  I  is 
some  finite  indexing  set  ,  tf,:  are  boolean  expressions  (predicates)  on  shunt  names  and 
computational  variable  names.  S’  is  a  set  of  values  from  A",  and  n  is  a  value  from  ,\f 

The  semantics  and  well-formedness  conditions  can  be  informally  described  as 
follows: 

Specification 

The  user  of  the  TAM  theory  is  expected  to  keep  account  of  the  environment  of 
each  agent,  i.e.  the  set  of  variable  and  shunt  names  which  may  be  written  to  by 
each  agent.  The  frame  'w'  in  the  specification  agent  denotes  those  variables  and 
shunts  which  are  in  the  environment  of  the  specification  and  which  may  have  their 


value  changed  by  an  agent  which  is  a  valid  refinement  of  the  specification.  Thus,  any 
variable  or  shunt  which  is  in  the  agent’s  environment,  but  which  is  not  in  the  frame, 
can  be  assumed  to  remain  stable  during  the  execution  of  the  agent. 

The  real-time  TAM  logic  formula  <P  provides  a  specification  of  the  behaviour  of 
the  system  which  will  eventually  result  from  the  refinement  of  w  :  0  This  is  usually 
achieved  by  constraining  the  values  and  timestamps  found  in  the  shunts  that  appear 
in  tt\  and  by  predicating  over  the  values  of  ta  and  iu  . 

Assignment 

The  expression  e  is  a  term  within  which  variables  may  be  referred  to  without  ref¬ 
erence  to  the  timing  function.  This  is  because  the  application  of  the  timing  function 
with  the  time  equal  to  the  release  time  of  the  assignment  agent  will  be  assumed. 
Thus  the  agent  form: 

x  :=  x  +  y 

(where  x  and  y  are  computation  variable  names)  will  be  translated  by  the  semantics 
into  the  constraint: 

x®>tu  =  xSt0  +  y§.tQ 

Note  that  because  the  variables  x  and  y  must  belong  to  the  assignment  agent,  and  no 
concurrently  executing  agent  can  write  to  those  variables  it  does  not-  matter  when  the 
values  are  read,  thus  reading  them  at  time=f(,  is  simply  a  notational  convenience. 
The  assignment  statement  will  also  take  some  time  in  which  to  execute,  and  no 
assignment  will  be  instantaneous  (even  assignments  of  the  form  x  :=  x). 

Input 

The  input  statement  reads  the  timestamp  and  value  from  a  shunt  at  the  same 
time.  The  timestamp  is  read  into  the  left  variable,  arid  the  value  into  the  right.  The 
read  is  asynchronous  i.e.  it  does  not  need  a  partner  (doing  the  writing)  with  which 
to  synchronise.  The  reading  cannot,  be  instantaneous.  The  read  occurs  sometime 
between  the  release  and  termination  of  the  read  agent,  but  the  user  can  not  depend 
upon  a  particular  instant  (unless  he  constrains  the  reading  further  by  deadlines  and 
delays  etc).  If  there  has  been  no  write  to  the  shunt  before  the  read  takes  place  then 
the  value  and  timestamp  can  have  any  value  from  A'-. 

Output 

The  output  statement  writes  the  value  given  into  the  shunt  .  The  value  can  be  any 
positive  integer  constant,  or  the  value  found  in  a  computational  variable.  The  write 
occurs  sometime  between  the  release  time  and  termination  time  of  the  write  agent, 
but  the  user  can  not  depend  upon  a  specific  time  (unless  he  specifically  constrains 
the  write  with  deadlines  and  delays  etc).  The  run-time  system  is  responsible  for 
writing  the  current  time  as  a  timestamp  into  the  shunt,  at  the  same  time  as  the 
value  is  written.  The  writing  is  asynchronous  in  that  the  output  agent  does  not  have 
to  wait  for  a  partner  (doing  the  reading)  in  order  to  write  to  the  shunt.  The  shunt 
is  assumed  to  have  been  written  to  before  the  output  agent  terminates. 
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Sequence 

The  termination  time  of  the  first,  agent,  becomes  the  release  time  of  the  second. 
Thus  sequencing  defines  a  precedence  relation  not  a  physical  operation,  and  the 
transfer  of  control  is  assumed  to  occur  instantaneously.  The  final  instant  of  the  first 
agent  is  also  the  first  instant  of  the  second,  and  this  initially  suggests  the  scheduling 
problem  of  the  ‘dangling  drop’  (i.e.  the  extreme  case  where  the  first  task  is  pre¬ 
empted  at  the  point  where  it.  has  actually  completed  all  of  its  computation,  but  has 
not  yet  told  the  run-time  system;  technically  the  deadline  of  the  first  task  may  be 
missed  even  though  it  has  completed  all  of  its  useful  work).  This  however  is  not.  a 
problem  as  an  idle  delay  tick  may  be  inserted  at  the  release  time  of  the  second  agent. 
This  is  consistent  with  the  semantics:  no  agent  may  do  any  communication  on  its 
release  instant  and  so  it  can  be  assumed  to  idle. 

Conditional 

Each  of  the  boolean  expressions  are  evaluated,  and  the  agent,  corresponding  to  a 
true  value  will  be  executed  immediately.  The  expressions  can  be  any  predicate  (with 
shunts  and  variable  names  occurring  untimed).  If  none  of  the  boolean  expressions 
are  true  then  the  agent,  terminates  immediately,  and  if  more  than  one  is  true  then 
a  non-deterministic  choice  is  made  between  them.  The  semantics  do  not  assume 
that  the  evaluation  of  the  conditionals  requires  any  computational  resources,  and 
this  enables  the  user  to  encode  idle  polling.  However,  care  needs  to  be  taken  during 
refinement  to  ensure  that  computationally  expensive  evaluation  is  not  constrained 
into  an  infeasibly  small  interval:  this  is  discussed  in  more  detail  in  section  6.  As 
with  the  assignment,  the  values  at  the  release  time  of  the  agent  are  used  (i.e.  shunt 
values  at  the  release  time  of  the  conditional  agent  are  used  -  this  must  also  be  taken 
into  account  when  conditional  evaluation  is  considered).  We  use  the  notation  g  =>  A 
when  only  one  conditional  is  present. 

Concurrency 

Concurrency  is  distributed  and  so  the  concurrent  composition  terminates  when 
both  agents  have  terminated.  Concurrent  agents  should  not  write  to  the  same  shunt  , 
and  should  not  refer  to  the  same  computation  variables.  An  attempt  to  do  so  may 
result  in  the  system  aborting  with  unpredictable  results.  We  use  the  shorthand  no¬ 
tation  JgjA i  for  indexed  concurrency.  Concurrency  should  be  seen  as  a  declaration 
of  the  lack  of  precedence  constraints  between  two  agents:  if  those  agents  are  repre¬ 
senting  tasks  then  the  concurrency  operator  declares  that  those  two  tasks  can  be 
independently  scheduled. 

Deadline 

It  is  assumed  that,  the  duration  of  the  agent  (the  difference  between  release 
and  termination  time)  is  equal  to  one  of  the  values  found  in  the  set  5.  Thus  the 
deadline  agent,  forms  a  constraint  upon  the  run-time  execution  environment  that, 
the  refinement  calculus  and  the  system  developer  can  depend  upon  being  met. 

Restriction 

The  shunt  in  the  restriction  becomes  'hidden"  from  the  rest  of  the  system  and 
may  only  be  written  and  read  by  the  agent  specified.  This  operator  becomes  useful 
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when  program  equi valence  is  being  proven:  it  is  possible  to  prove  that  a  program 
which  uses  a  number  of  concurrently  executing  agents,  communicating  via  hidden 
shunts,  is  equivalent  to  an  agent  with  no  apparent  internal  structure. 

Local 

The  variable  in  the  local  declaration  becomes  'hidden’  and  the  rest  of  the  system 
(i.e.  the  sequential  agents  which  follow  the  agent  with  the  hidden  variable)  may  not 
read  it  or  write  to  it.  We  use  the  shorthand  notation  (x,  t/)^4  in  place  of  (x)(y)>t  etc. 
for  clarity. 

Signal 

The  given  shunt  is  treated  as  a  signal,  and  is  monitored  from  the  release  time  for 
the  number  of  time  units  specified.  If  the  shunt  is  written  to  in  that  interval  then 
the  agent  on  the  right  is  released  with  a  release  time  equal  to  that  of  the  first  write 
to  the  shunt,  otherwise  the  agent  on  the  left  is  released  at  the  end  of  the  interval. 

Iteration 

The  specified  agent  will  be  executed  in  sequence  the  given  number  of  times.  This 
agent  is  simply  used  as  a  shorthand  for  long  sequences  of  task  executions. 


4.1  Semantics 

We  start,  by  defining  some  useful  predicates  on  shunts  and  -variables.  The  predicate 
‘ stable '  asserts  that  the  shunt  s  will  not.  be  changed  during  the  given  interval: 

Definition  Stable  (shunts)  stablels.n.  m)  =,j„ /  A  .s&cr  =  safer  —  1) 

Similarly  for  variables: 

Definition  Stable  (variables)  sfabh(x.  n ,  m)  =dej  x  tun  =  x&n 

In  addition,  the  definitions  for  stable  are  extended  to  sets  of  variables  or  shunts. 

The  predicate  write  asserts  that,  a  given  value  is  written  to  a  shunt  within  an  interval, 
and  that-  the  shunt,  remains  stable  at  all  other  times  within  the  interval: 

Definition  Write  u  rite{x\  s,  n.  in)  =,y,  \ 

V  — 1)  /\  =  ((T.rflji)  A  stable(s.(T.in) 

We  also  define  an  operator  for  dividing  formulae  into  time  consecutive  subfonnulae: 

Definition  Chop.  Given  two  timed  logic  formulae  A  and  i>.  then, 

A~B  =<ie;  3m  :  .V(m  €  [lc,,C]  A>l[m/C]  A  B[m/1a]) 

The  semantics  of  an  agent  are  now  given  by  a  timed  logic  formula.  The  specifica¬ 
tion  statement,  is  defined  in  this  manner  also,  giving  a  natural  interpretation  for  a 
refinement,  relation.  Note  that  we  use  the  notation  tr  to  denote  those  variables  and 
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shunts  which  are  owned  by  the  specification  agent,  but  which  do  not  appear  in  the 
frame,  and  the  notation  TL  to  denote  the  agent  0  :  true  (a  particularly  useful  agent). 
Figure  1  gives  the  definition  of  the  semantics.  We  also  assume  that  the  set  of  vari¬ 
ables  and  shunts  owned  by  the  agent  «4|£  is  partitioned  into  disjoint  environments 
for  A  and  B\  the  identification  of  environments  with  agents  is  informal,  and  it  is  the 
responsibility  of  the  refiner  to  decide  upon  suitable  partitions1. 


[w  :  =d<f  stable  (w.  t0,  #«.■)  A  {.r  :=  f  J  =</,y  f  { r)  :  ( to  <  A  r  St*,  =  e@ta)] 

l*  —  s]  =d«/  [{*}  :  tt'ri/e(i.  s,  tQ.  )J  [.A/s)  =dc/  3x  :  SA«nf([.4][.r/s]) 

[(*,!/)  —  =d<j  :  U  <  <w 

A3 m  :  ,V‘( m  €  (/Q.  t„.]  A  =  s.ts'&m  A 

[(*M1  -dej  3»  :  F«r([.4][i//.r]) 

(MMU1)A(IB]-|[T1]) 

[[S]>t|  =d,/  [.4J  A  6  S  [-A:  6’J  =j,  t 

f  g,  =>  -4.3  =d-..i  ((( S*a)  A  fO-J)  V  V A  [-A,)))) 

|[.4t>;  £!])  =rf,/  Nowrite~[.AJ  V  Input -J£t| 

|/i„+i>t]  =d.j  (1-AJ)  ~[/<„.A)  [/'c-AJ  =</</  [TL) 

Nowrite  —def  [0  :  /„  =  to  +  n  A  s.ts<Sto  <  la  A  stahU(s.t0.  )J 

Input  =de/  10  :  €  (to.ta  +  n]  A  s./sti/v  =  A  Vm  e  [to.  t.  )(s'6ni  =  s'Sta )1 

Fig.  1.  TAM  Semantics 


5  Standard  Agent  Definitions 

In  a  number  of  TAM  publications,  definitions  for  agents  which  capture  real-time 
behaviour  succinctly  have  been  proposed,  these  definitions  have  been  syntactic  sugar 
for  complex  concrete  agent  forms.  In  this  section  we  define  the  standard  agent  forms 
for  periods,  delays,  finding  the  current  time  (within  bounds),  and  managing  mutual 
exclusion . 

1  The  partitioning  is  almost  always  obvious  as  the  frame  of  any  specification  agent  dictates 
the  minimum  contents  of  the  specification  agent  s  environment.  Those  variables  or  shunts 
which  are  not  changed  by  either  of  the  two  concurrently  executing  agents  may  appear  in 
either  environment. 
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5.1  Minimum  Delays 

A  delay  agent  does  not  change  any  variable  or  shunt  value,  and  guarantees  not  to 
terminate  for  a  minimum  duration  (i.e.  models  an  idle  delay).  Given  a  duration 
n  £  //,  then  we  define  the  delay  agent  as: 

Sn  =jej  9  ■  L-  >  ta  +  n 

A  specific  length  delay  (which  might  be  used  to  model  task  offsets  for  instance) 
can  be  defined  by: 

An  =def  ({«}]!>» 

This  agent  will  guarantee  to  terminate  at  exactly  n  time  units  after  release. 

5.2  The  Current  Time 

Consider  the  following  agent  which  writes  to  a  private  shunt  and  then  reads  the 
timestamp  which  was  just  written: 

(0  —  s;  (ts.  x)  —  s)/s;.4 

The  value  found  in  the  variable  Is  will  provide  a  lower  bound  only  on  the  current 
time.  This  is  because  the  agent  may  have  been  pre-empted  between  the  writing  of 
the  shunt  and  the  reading,  or  between  the  reading  and  the  use  of  the  timestamp  in 
agent  A. 

However,  consider  the  following  agent  which  performs  the  same  task,  but  within 
a  tight  deadline: 

[»n]((0  —  s;  (Is,  x)  —  s;.4)/s) 

The  user  knows  that  in  the  agent  .4.  the  value  found  in  the  variable  ts  will  have 
a  bound  on  freshness,  i.e.  he  will  know  that  the  current  time  is  somewhere  between 
ts  and  ts  +  iv. 

5.3  Specific  Deadlines 

We  overload  the  deadline  operator  to  define  a  more  restricted  deadline.  We  use 
the  notation  (where  n  is  a  single  positive  integer  value)  to  denote  the  agent 
[  [0..n]  }A. 


5.4  Periodic  Agents 

The  periodic  agent  can  now  be  defined.  Given  an  agent  .4.  a  period=T,  a  deadline=D, 
and  a  number  of  periods=n.  then: 

Period(A,  T.  D.  n)  =  ( [7~] ( I^T*) ) 

In  this  definition  we  assume  that  D  <  T.  if  we  remove  this  constraint  then  we 
have  a  more  general  periodic  agent: 
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Period(A,  T,  D,n)  =  «);PM 

But  note  that  in  overlapping  agents  we  have  to  consider  certain  constraint*  on 
the  possibility  in  the  overlap  of  writing  to  the  same  shunt  ,  this  is  discussed  in  more 
detail  in  section  7. 

5.5  Critical  Sections 

Consider  the  case  when  two  (or  more)  agents  wish  to  write  to  the  same  shunt  (i.e. 
share  the  same  resource),  and  the  system  has  to  enforce  mutual  exclusion.  We  can 
model  this  by  attaching  a  semaphore-dispatch  agent  to  the  shared  shunt  which  com¬ 
municates  to  the  requesting  tasks  via  three  sets  of  shunts:  Req\ ,  Req?  are  written  to 
by  the  requesting  agents  when  they  require  exclusive  access  to  the  shunt.  Gnt\,Gnt2 
are  used  to  grant  access  (the  semaphore-dispatch  agent  writes  to  the  shunt  of  the 
agent  requesting  access),  and  Rel i,  Rel?  are  used  to  release  the  semaphore  and  are 
written  by  the  requesting  agent  when  it  has  finished.  We  also  assume  a  priority 
of  agent  1  over  agent  2  if  two  requests  for  access  are  made  at  the  same  time.  The 
semaphore-dispatch  agent  is  assumed  to  grant  up  to  n  semaphores  (or  ticks  for  which 
the  semaphore  is  not  granted)  before  it  removes  the  resource  from  the  system.  We 
also  place  a  bound  on  the  waiting  time  for  the  release  signal  of  ni  time  units  (in  case 
an  agent  ‘hangs’  without  releasing):  this  is  acceptable  only  if  we  choose  an  in  which 
is  greater  than  the  deadline  of  both  requesting  agents. 

We  can  write  the  semaphore-dispatch  agent  as  follows: 

pn((A  lt>f«s  [l](0-6,»/2);/?(2))>f?’  [1](0  -  G»U):  R(l)) 

R(n)  =*/  410^'"  .10 

The  behaviour  of  this  agent  can  be  read  as  follows.  The  first  signal  to  be  tested 
is  that  for  Req\  (the  request  for  access  from  agent  1).  the  test  will  only  be  for  a 
single  instant  in  time.  If  the  agent  is  signalling  then  the  grant  shunt  will  be  written 
to  within  one  tick,  and  the  semaphore-dispatch  agent  then  behaves  like  i?(l)  which 
is  waiting  for  the  release  from  agent  1.  When  the  release  comes  (or  the  signal  times 
out)  the  semaphore-dispatch  agent  returns  to  the  waiting  state.  If  the  signal  from 
agent  1  is  not  written  then  the  signal  from  agent  2  is  tested,  if  it  is  being  written 
then  the  same  behaviour  occurs  as  for  agent  1.  if  it  is  not  being  written  then  the 
semaphore-dispatcher  waits  for  the  next  tick  and  starts  the  signal  monitoring  again. 
Note  that  semaphore  requests  which  occur  during  the  wait,  for  a  release  signal  will  be 
ignored,  and  thus  signalling  must  be  repeated  by  the  requesting  agent  periodically. 
Also,  the  grant  signal  time  is  bounded  by  the  deadline  on  the  grant  write  (in  this 
instance  this  is  a  single  tick). 

Note  that  this  semaphore-dispatcher  method  of  dealing  with  mutual  exclusion 
is  only  one  of  a  possible  number  of  solutions  to  the  problem.  Consider  the  solution 
whereby  requests  are  not  lost,  and  are  guaranteed  to  be  serviced  when  the  resource 
next  becomes  free.  This  is  achieved  by  the  semaphore-dispatcher  updating  local 
variables  rt\  and  rt 2  with  the  timestamp  of  the  most  recent,  request  of  each  agent: 
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(x1y,r/i.rf2)(  [l]((r<!,  x)  —  Re<n\(rt?,  y)  —  Req-j). 

P..  (  Reqx.ts  >  r1x  =>  P{  1) 

U 

Reqo.ts  >  r#2  =>  P(2) 

U 

Reqi-ts  =  r/i  A  Req-j.is  =  r/j  =>  _11 


f*(l)  =*/  ll]((rfi,*)-^e«i);[l](0-G»rfi);(-d0B.5‘,'40) 

P(2)  =rfe/  [l]((r/o,  y)  -  /?ey3);  [1](0  -  GnU)\ (JO  **«'»  JO) 

In  this  solution  there  is  idle  waiting  on  the  release  signals,  and  on  the  request 
signals  (in  this  special  instance  -  where  the  conditions  are  expressions  on  shunt 
timestamps  -  we  can  assume  that  a  conditional  agent  which  does  nothing  but  execute 
an  idle  delay  is  implemented  by  an  agent  which  idles  until  the  condition  holds).  Note 
that  again,  the  deadlines  on  grant  signals  could  be  slackened  if  necessary. 

6  The  Refinement  Calculus 

The  aim  of  a  refinement,  calculus  is  to  provide  a  set  of  syntact  ic  rewrite  rules  which 
enables  the  software  developer  to  transform  a  requirements  specification  into  an 
executable  program.  The  calculus  must  ensure  that  any  program  resulting  from 
the  application  of  laws  must  be  correct  with  respect  to  the  original  specification. 
Correctness  is  defined  in  terms  of  a  refinement  relation,  and  individual  refinement 
laws  are  proven  sound  with  respect  to  this  relation. 

We  define  a  refinement  relation  as  follows: 

Definition  Refinement.  Given  two  agents  .4  and  L\  then  S  refines  A  (written  A  C  B) 
exactly  when  f£*J  =>  [ylj. 

Refinement  can  be  seen  as  a  lessening  of  nondeterminism,  i.e.  given  a  specification 
which  lists  a  number  of  acceptable  alternatives  (which  might  be  inherent  in  the 
underspecification  of  a  system),  then  a  program  which  guarantees  at  least  one  of 
those  alternatives  is  a  valid  refinement. 

It  is  clear  that  the  refinement  relation  is  a  partial  order  (a  property  inherited 
from  the  implication  connective),  and  this  will  allow  us  to  perform  refinement  steps 
of  any  granularity  without  affecting  the  resulting  program. 

If  we  return  to  our  early  example  of  a  system  specification,  we  are  now  in  a 
position  to  prove  the  refinement: 


{out}  :3<r  :  .\'{a  €  [/0,/u.]  A  oul.r‘Q.1^.  -  (/'?>. rtjir)2  A  /u  <  /n  +  10) 

A#{n|3<r  £  .\”(<T  6  [/<,./_]  A  out. /stiff  =  »)  A  oul. /sfi/^.}  =  1 

C  (x .  y) [1 0] ( (a-,  t/)  —  in :  if  —  oul) 
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The  proof  sketch  is  as  follows: 

[(x,y)[10]((x:j/)  —  iir.y-  —  out)] 

=  3x,y:Var( 

3m  :  ,\'{m  e  [#Q ,  A  n^(xQt^  =  in.ts%a  A  ykt^  -  in. vita) 
frstable(out,ta,m) 

Awrite(y<&m2 ,ovt .  m.tu.)  A 1W  <  t0  +  10) 


We  can  see  that: 

stable(out,t ,  m)  A  write(ykm2 ,  onl.  m.i)  => 

#{n|3<r :  Af(a  €  [f0,<u.]  A  out.ts®a  =  n)  A  n  ^  ou/./str/^}  =  1 

by  the  definition  of  stable  and  write.  The  liveness  property  is  guaranteed  by  the 
theorem: 

3x,j/:  Var(3m  :.V(m  £  [fa,f^.]A  t^  -  in.tska  A  =  in.vQa) 

Awri1e{y<im‘ .out .  m.t^)  A /a  <  t0  +  10) 

=>  3a  \Ar(a  £  [ta,1u]  A  out ,v&1u.  s=  (in.c&a)-  A /„  <  /tl  -f  10)  □ 

It  would  be  infeasible  to  prove  refinements  of  any  reasonable  sized  program  in  this 
manner,  the  complexity  of  such  a  task  would  ensure  that  mistakes  would  be  made. 
Instead  we  provide  a  calculus  of  refinement  laws  which  have  much  simpler  proof 
obligations.  We  define  a  subset  of  these  laws  below,  each  law  is  labeled  so  that  it 
can  be  referred  to  in  refinement  proofs. 

We  start-  with  a  refinement  law  schema  which  arises  from  the  semantic  definitions. 
RS  (refinement  schema)  If  [.4]  =jej  0  then  0  C  A 

We  now  define  the  laws  of  the  calculus  by  construct,  we  use  the  equality  symbol  '=’ 
to  denote  that  refinement  is  valid  in  both  directions. 


Specification 

SR. I  w  :  0  =  w  :  4>[x'fi./0/x:§7w]  (if  x  a  ) 

SR.2  w  :0  —  w  :  0[xkt^/x%ta}  (if  x  $  w) 

SR. 3  w  U  {s}  :  0  A  stable  (s.  taAu)  —  u—s:0 
(if  s  not.  in  0) 

SR.4  w  :  0  O  w  :  0'  (if  0'  =: )0 ) 
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Restriction 
For  any  variable  x: 

VR.  1  (x)4  =  A  (if  x  not  in  -4) 

VR.2(x)Uy)A)  =  (yU(x)A) 

VR.i  w  :  (3i /  :  \'ar(<P))  =  (x)(«  U  {x}  :  0[x/(>])  (if  x  g  u  :  <I>) 
VRA  w  :<P  C  (x)w  U  {x}  :4> 

(if  x  is  new  unique  computational  variable) 

Sequential 

SE.l  P:(Q:R)  =  (P\Q)\R 

Deadline 

DE.l  [S]>1  C  [S'}A  (if  S‘  C  S) 

Delay 

DL.l  6n:6m  —  6n  +  m  DL.'2  An:  _}n<  =  An  +  w 
DL.3  ilti:  TL  =  Sn  DL.4  <H>  =  TL 

Concurrent 

CR.l  A\B  =  B\A  CR.24|(£|0)  =  (A\P)\C 

Conditional 

GR.l  ,U  9,  =>  At  C  Aj  (if  <ij  =  Inif) 


Signal 

For  any  shunt  $  and  time  it: 

TR.l  (.4  £5)|(t!  >’  V)  =  (.410  (P\V) 

TR/2  A»^+1G  =  (A»’nP)  t»JB 
TR.3  A  o’,  (C-  e>o  £*)  =  A  t>’„  R 
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Iteratiou 


IR.l  ^n+M  =  «4;p„.4;Tl  =  ^i„A\A\lL 

Of  course  there  are  many  such  useful  rules,  and  the  reader  can  probably  think  of 
many  more.  The  refinement  calculus  needs  to  be  proven  sound  with  respect  to  the 
definition  of  the  refinement  relation,  and  the  proof  is  presented  in  [10]  In  addition, 
the  refinement  relation  needs  to  be  proven  monotonic,  i.e. 

Monotonicity  Given  that  A  C  13,  then  for  any  context  C[_],  we  have  (![«4]  C  (.?[/?]. 

This  property  enables  the  user  of  the  calculus  to  remove  an  agent  from  its  context, 
refine  it  isolation,  and  replace  the  refined  agent  back  into  the  same  context  without 
requiring  them  to  proving  that  the  new  composed  agent  remains  a  valid  refinement. 
The  proof  of  this  t  heorem  is  given  in  [9]. 

7  Postscript:  A  Few  Notes  on  ‘Sensible’  Refinements 

It  is  possible  to  refine  any  agent  by  the  specification  ir  :  false  (for  any  frame  u>), 
this  is  because: 

[ic  :  false]  —  stable  ( w.  I,, .  )  A  false 

=  false 

=>  [A]  (any  ,4)  □ 


The  specification  w  :  false  is  often  referred  to  as  the  miraculous  specification 
(see  [5]  for  example),  and  usually  arises  as  a  result  of  an  inconsistent  specification 
at  an  earlier  stage  in  refinement.  However. other  kinds  of  refinement  can  result  in 
undesired  agents  as  well.  Consider  the  following  refinement: 

{out}  :  urite(\,out  ,tn,t^) 

C  {or// }  :  tnv7e(  1.  out ./«./„•)  A  write  ( 1.  oal d0.fa.)  (b\  strengthen’) 

C  {out}  :3m  :  A  (in  €  [fn-  /„]  A  wr/te(l .  out .  ia,  m)  A  stable  (out,  m./u.)) 

A  3/  :.\'(/  €  [fo-L]  A  write  ( 1.  nut ,  .  /)  A  stable  (out .  I .  O) 

(by  strengthen  ) 

C  {on/}  :  writefl.  out.  ta.  C)|{o«/ }  :  «v/7/(l.  out.  /<,./„.)  (by  RS) 

C  1  —  out 1 1  —  out  (by  RS) 


In  the  final  concurrent  agent  we  expect  that  an  implementation  would  be  able  to 
write  the  value  to  the  shunt  out  twice,  and  mde/ietulent/v  -  but  the  semantics  of  the 
agent  dictate  that  the  two  agents  must  write  at  the  same  instant  in  time  (otherwise 
the  stability  constraints  inherent  in  the  definition  of  the  predicate  write  would  be 
contradicted).  It  is  important  to  realise  that  the  refinement  is  not  incorrect,  but  that 


in  this  case  the  informal  understanding  of  the  meaning  of  the  concurrent  agent  is 
not  supported  by  the  actual  semantics2. 

In  order  to  make  sure  that  our  informal  view  is  supported  as  much  as  is  feasible 
by  the  refinement  calculus  we  can  introduce  a  number  of  heuristics.  For  example  we 
can  assert  the  following  heuristic  rule: 

Separation  Constraint  The  refinement  u-  :  $  C  u\a  :  <1>a  \ u-g  :  <l>g  is  acceptable 
only  when  uu  U  u  s  =  u!  and  when  Pi  u-e  =  0 

This  heuristic  would  have  enabled  the  developer  to  reject  the  above  refinement  in 
favour  of  a  more  sensible’  alternative.  Of  course  we  could  have  defined  the  original 
refinement  law  for  concurrency  with  this  constraint  enforced,  but  we  believe  that 
the  underlying  theory  should  be  as  flexible  as  possible,  and  that  such  high-level 
pragmatics  should  be  defined  at  as  late  a  stage  as  possible. 

Another  instance  of  a  ‘sensible-  refinement  heuristic  is  that  of  allowing  time  for 
the  evaluation  of  conditionals.  The  semantics  do  not  assume  that  the  conditionals 
require  evaluation  time,  and  this  enables  the  user  to  define  programs  which  block 
on  events.  Consider  the  following  agent: 

=  1  =>  .4  U  s.v  ^  1  =>  Al) 

This  agent  is  waiting  for  the  value  in  the  shunt  s  to  be  set  to  T':  if  the  value  is 
not  currently  set  to  V  then  the  agent  idle  waits  for  one  tick  and  then  tries  again. 
When  the  value  is  set.  to  1  the  agent  .4  will  be  released.  Note  that  if  the  owner  of 
the  shunt  s  does  not  change  the  value  in  s  then  the  agent  .4  might  be  released  many 
times  (although  they  will  be  precedence  constrained). 

We  can  see  that  one  of  the  properties  of  this  agent  is  that  if  the  shunt  s  at  the 
release  time  does  not  have  the  value  I.  and  tlte  shunt  remains  stable,  then  the  agent 
will  reduce  to  an  idle  delay,  i.e.  we  can  assert  the  theorem: 

Hn(s.r  =  1  =>  .4  U  s.v  *£  1  =>  _il )  C  5t»  (if  s.vht.,  ^  1  A  s1able(s.1Q  ,  ta  +  n)) 

Proof  (by  induction) 

(Base  case  where  n=0) 

(1)  pO(s.c  =  1  =>•  A  U  s.v  ^  1  =?>  Al)  =  TL  (by  def  Iteration) 

(2)  =  50  (by  DL.4) 

(Inductive  step) 

If  p„(s. v  =  1  =>  A  U  s.v  ^  1  =>  Al)  C  h) 

then  fj„  +  l(s.c  =  1  =>  .4  U  s.v  ^  1  =>  Al)  C  dn  +  I 

2  This  is  an  excellent  example  of  why  it  is  important  that  any  compiler  for  TAM  -  or  any 
other  formal  development  language  -  must  also  be  proved  correct:  it  is  not  good  enough 
that  we  beliexe  that  the  compiler  supports  our  informal  understanding  of  the  semantics 
of  the  language. 
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(1)  pn  +  1  {»'•<'  =  1  =>  A  U  S  I ■  ^  1  =■  -51) 

=  r  =  1  A  U  $ .c  1  =>  All  (s.r  =  1  =>  .4  U  s.  i  £  1  — •  Al):  TL.  (by  IR.l) 

(2)  Sn+  1  =  Srr.Sl  (by  DL.l) 

(3)  (s.v  —  1  =>  4Us.i'  ^  1  =>  Al)  C  Al  (by  def  Conditional  and  lability  constraint) 

(4)  [s.v  =  1  =>  ^4  U  s.r  ^  1  =>  Al):  TL  C  Al:  U  (by  inonotonicity) 

(5)  ai:  U  C  SI  (by  1.3  and  DL.3) 

and  so  by  monotonicity  the  inductive  .-step  holds  □ 

Thus  the  implementation  would  be  sensible.  However,  it  would  be  difficult  to  im¬ 
plement  a  conditional  which  relied  on  computation,  and  also  relied  on  a  very  short 
deadline.  Consider  the  agent: 

[»n](xy  >  r  =>  (#»u|<4)) 

which  gives  a  deadline  of  m  time  units,  all  of  which  is  required  for  the  execution 
of  the  agent  .4:  thus,  the  conditional  must  be  evaluated  instantaneously.  This  may 
be  implementable  by  using  some  of  the  time  given  to  the  agent  .-4.  but  this  certainly 
should  not  be  relied  upon. 

8  Conclusion 

TAM  is  unique  in  providing  a  wkle-spect rum  development  language  for  real-time 
systems  in  which  abstract  specifications  can  be  refined  down  to  concr-  te  executable 
programs.  Wide-spectrum  languages  for  non  real-time  systems  have  been  studied 
extensively,  for  example  in  the  SETb  language  [11],  and  t he  (  IP  project  [3],  wide- 
spectrum  languages  based  upon  predicate  logic  are  giv.-n  transformation  rules  which 
allow  refinement  in  a  manner  similar  to  TAM. 

The  utility  of  a  wide-spectrum  language  can  be  clearly  seen  in  the  refinement 
method  used  by  Morgan  in  his  calculus  (•">].  In  this  language  .  the  concrete  syntax 
is  provided  by  an  extended  version  of  Dijkstra's  Guarded  Command  Language  [2]. 
The  abstract  specification  syntax  is  prov  ided  |>y  a  .statement  form: 

w  :  \pre,post] 

where  'w'  (called  the  'frame'  )  defines  the  scope  of  the  specification,  i.e.  those  state 
variables  which  may  be  changed  by  the  behaviour  defined  by  the  specification,  and 
‘pre'  and  ‘post’  are  first-order  predicate  logic  formulae  which  describe  the  relation¬ 
ship  between  the  program  state  before  the  execution  of  the  specification  statement, 
and  after  the  termination  of  the  specification  statement  respectively,  flie  specifica¬ 
tion  statement  can  therefore  be  viewed  as  a  description  of  t  he  minimum  requirements 
on  the  behaviour  of  any  concrete  statement  which  may  replace  it  during  refinement  . 

Similarly,  in  Back  and  Wright’s  wide-spectrum  language  [1].  the  concrete  code 
is  a  version  of  Dijkstra's  Guarded  Command  Language  and  a  statement,  called 
an  assert  statement,  is  denoted  {!>}  .  where  b  is  a  formula  on  the  local  state.  The 
assert  statement  will  terminate  correctly  if  the  local  state  satisfies  the  formulae  when 
‘executed’,  and  will  abort  otherwise. 
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The  common  factor  of  both  Morgan  and  Back  and  Wright’s  languages  is  that 
they  are  transformational:  they  describe  computations  which  have  all  input  data 
available  at  the  start  of  execution,  and  provide  the  result  at  the  time  of  termination. 
This  restrict  ion  provides  the  basis  for  the  ‘shape'  of  Morgan's  specification  statement 
-  it  describes  a  relationship  between  initial  and  final  states.  In  real-time  systems  we 
are  interested  in  reaction,  i.e.  input  and  output  during  the  execution  of  an  agent.  In 
addition,  we  are  interested  in  the  time  at  which  the  inputs  and  outputs  occur;  our 
specification  statement  for  real-time  systems  reflects  these  requirements. 

Clearly  there  are  many  facets  of  the  language  yet  to  investigate,  both  in  the 
existing  constraints  of  the  theory,  and  in  the  possibility  of  extending  the  theory  to 
deal  with  issues  such  as  non-termination,  and  type  refinement,  etc.  The  standard 
offered  in  this  paper  should  provide  a  firm  foundation  for  these  experiments. 
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Compositional  Process  Semantics 
of  Petri  Boxes1 

Eike  Best2 3  and  Hana-Giinther  Linde- Goers2 
Abstract 

The  Petri  Box  algebra  defines  a  linear  notation  to  express  a  structured 
class  of  Petri  nets  which  can  be  seen  as  a  modification  and  generalisation 
of  Milner’s  CCS.  The  calculus  has  been  designed  as  an  intermediate  stage 
in  the  compositional  translation  of  higher  level  concurrent  programming 
notations  into  Petri  nets.  This  paper  defines  the  notion  of  a  ‘Box  process’ 
intended  to  capture  the  (Petri  net)  partial  order  semantics  of  the  Box 
algebra.  The  main  result  is  the  equivalence  of  the  direct  compositional 
semantics  so  defined,  and  the  indirect  non-compositional  semantics  which 
uses  processes  of  Petri  nets,  for  a  class  of  expressions. 


1  Introduction 

The  Petri  Box  Calculus  (PBC  (5J),  which  has  been  developed  in  the  Esprit  Basic 
Research  Action  DEMON,  is  a  blend  which  is  partially  derived  from  existing 
calculi  (notably,  Milner’s  CCS  [23])  and  is  partially  novel.  It  was  designed 
to  satisfy  two  requirements.  Firstly,  it  should  be  firmly  based  on  a  Petri  net 
semantics,  and  secondly,  it  should  be  oriented  towards  easing  the  compositional 
definition  of  the  semantics  of  various  concurrent  programming  languages  such  as 
occam  [21],  including  all  data  aspects;  it  has  been  discussed  in  [6,  18]  how  this 
can  be  achieved. 

Compared  with  CCS,  the  PBC  features  a  different  synchronisation  operator 
and  a  refinement  operator.  Moreover,  the  PBC  is  not  prefix-driven  but,  on 
the  contrary,  treats  entry  and  exit  points  of  processes  symmetrically.  As  a 
consequence,  the  sequence  operator  is  basic  and  the  recursion  operator  is  much 
more  general  and  not  limited  to  tail-end  recursion. 

Up  to  the  present  time,  there  have  been  various  developments  concerning  the 
Box  calculus;  they  have  been  chiefly  oriented  towards  its  static  aspects.  In  [5], 
a  number  of  static  equivalences  that  can  be  derived  as  a  consequence  of  the 
static  semantics  have  been  established;  in  [4],  static  (denotational)  definitions 
have  been  given  for  refinement  and  recursion;  in  [12],  the  S-invariant  covering  of 
Boxes  has  been  investigated. 

This  present  paper  and  its  companion  papers  [7,  20],  by  contrast,  address  the 
dynamic  aspects  of  Box  expressions.  The  aim  of  the  present  paper  is  to  make 
a  domain  out  of  the  set  of  (Petri  net)  processes  and  to  define  a  compositional 

1  Work  done  within  the  Esprit  Basic  Research  Action  3148  DEMON  (Design  Methods  Based 

on  Nets)  and  the  Working  Group  6067  CALIBAN  (Causal  Calculi  Based  on  Nets). 

3Institut  fur  Informatik,  Universitat  Hildesheim,  Marienburger  Platz  22,  D-31141 
Hildesheim,  {e.best,linde}Qinformatik. uni-hildesheim.de 


process  semantics  of  Bax  expressions  on  this  domain.  The  ground  set  is  defined 
as  the  sets  of  (equivalence  classes  of)  processes,  denoting  all  possible  concurrent 
runs  of  an  expression.  The  operations  on  the  domain  mirror  the  Box  expres¬ 
sion  operators.  The  main  result  establishes  the  consistency  of  the  Box  process 
semantics  (the  ‘direct’  semantics)  and  the  set  of  processes  that  can  be  obtained 
indirectly  by  first  deriving  the  Bax  of  an  expression  and  then  the  processes  of  this 
Bax  using  the  standard  net  theoretical  notion  [3,  17]  (the  ‘indirect’  semantics). 

The  operations  we  shall  define  on  Box  processes  have  been  inspired  by  prior  work 
such  as  that  of  Cherkasova  and  Kotov  [10]  and  Pratt  [25].  The  specific  form  of 
our  operations,  which  significantly  differ  from  the  ones  used  in  the  cited  papers, 
has  been  motivated  by  [5]  and  other  work  on  the  Box  Calculus.  This  work  is 
also  pertinent  to  a  large  body  of  recent  work  on  giving  Petri  net  semantics 
of  existing  process  calculi  such  as  CCS,  CSP  [19]  or  ACP  [1]  (for  instance, 
(2,  9,  10,  11,  14,  15,  22,  24,  26]). 

The  organisation  is  as  follows.  Section  2  explains  the  syntactic  domain  of  Box 
expressions.  Section  3  defines  the  basic  elements  of  the  semantic  domains  we 
are  going  to  consider:  labelled  nets,  labelled  causal  nets,  Petri  Boxes  and  Box 
processes.  Section  4  defines  the  first  semantic  domain,  namely  the  domain  of 
Box  processes.  Section  5  describes  the  second  semantic  domain,  the  domain  of 
Petri  Boxes.  Section  6  deals  with  consistency  between  the  direct  semantics  and 
the  indirect  semantics.  The  main  result  of  section  6  establishes  the  equivalence 
of  these  two  notions.  Section  7  contains  concluding  remarks. 

2  The  Syntactic  Domain:  Box  Expressions 

Action  names  and  variable  names  are  the  basic  constituents  of  the  Box  expression 
algebra.  We  assume  a  set  of  action  names,  A,  to  be  given.  On  At  we  assume 
a  conjugation  bijection  to  be  defined:  ':  A  — ►  A  with  a  a  and  o  =  a  for  all 
a  £  A.  The  set  £  of  finite  multisets  over  A  is  called  the  set  of  communication 
labels.  Elements  a  of  the  set  £  may  serve  as  the  labels  of  transitions  and 
events.  The  function  A  can  be  extended  to  any  multiset  p  over  A  by  element-wise 
application.  When  a  is  a  singleton  set  {a},  we  omit  the  enclosing  set  brackets 
if  unambiguity  is  ensured.  We  use  capital  letters  X,Y  etc.  to  denote  Box 
expression  variables  which  are  used  for  refinement  and  recursion.  Let  V  denote 
the  set  of  such  variable  names.  Elements  of  V  may  also  serve  as  transition  or 
event  labels. 

Using  these  conventions,  Table  1  defines  the  Box  expression  syntax  which  we 
consider  in  this  paper  -  which  is  the  full  syntax  considered  in  [5]  except  for 
scoping  and  relabelling.  Scoping  is  a  derived  operator  from  synchronisation  and 
restriction  (and  its  semantics  follows  accordingly).  Relabelling  is  omitted  here 
since  its  treatment  complicates  the  formalism  but  presents  no  specific  difficulties. 
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{Basic  Box  Expression} 

1 

multi  action 

{Sequential  Constructs} 

E\E  | 

sequence 

EQE\ 

choice 

[E*E*  E]  | 

iteration 

{Concurrent  Constructs} 

E\\E\ 

concurrent  composition 

E  sy  a  \ 

synchronisation 

E  rs  0  | 

restriction 

{Hierarchical  Constructs} 

x\ 

variable 

E[X «-  E]  | 

refinement 

HX.E 

recursion 

Table  1:  The  (slightly)  reduced  Box  expression  syntax 

3  Basic  Semantic  Definitions 

3.1  Labelled  nets  and  renaming  equivalence 

A  labelled  Petri  net  is  a  quadruple  E  =  (5,  T,  W,  A),  where  (5,  T,  W)  is  an  arc- 
weighted  Petri  net  with  places  S,  transitions  T,  weight 

W:  ((S  xT)U(T  x  S))  — ►  N, 

place  labelling  A:  S  — »  {e,  0,  x}  and  transition  labelling  A:  T  — ►  £  U  V.  The  pre¬ 
set  (post-set)  of  an  element  x  €  S  U  T  is  defined  by  *x  =  {y  |  W (y,  x)  >  0} 
(respectively,  x*  =  {y  |  W(x,y)  >  0}). 

We  require  T-restrictedness,  i.e.,  Vt  €  T:  *t  ^  0  ^  t*. 

The  labellings  indicate  the  interfaces  of  nets,  which  are  relevant  for  their  com¬ 
position.  The  places  s  with  A(s)  =  e  are  called  entry  places  and  denoted  by  *E. 
The  places  with  x  €  A(s)  are  called  exit  places  and  denoted  by  EV  All  places 
with  label  A(s)  =  0  are  called  internal.  Similarly,  all  transitions  t  with  A(t)  =  0 
are  called  internal  or  silent.  The  transitions  t  with  A(t)  /  0  are  called  inter¬ 
face  transitions.  There  are  two  types  of  interface  transitions:  communication 
transitions  (A(t)  €  £\{0})  and  hierarchical  transitions  (A(t)  €  V). 

A  labelled  causal  Petri  net  rj  =  ( B,E,F,X ')  is  a  labelled  net  which  satisfies 
|*6|  <  1  >  |6*|  for  all  b  e  B  and  F:{{B  x  E)  U  {E  x  B))  —  {0,1}.  F  can 
equivalently3  be  viewed  as  a  relation  F  Q  ((B  x  £J)  U  (E  x  B)).  Elements  of  B 
and  E  are  called  conditions  and  events,  respectively.  A  B-cut  of  77  is  a  maximal 
set  of  mutually  incomparable  elements  of  B,  with  respect  to  the  partial  order 
X=  F+. 

Figure  l(i)  shows  a  causal  net  with  four  places  (named  1,  2,  3,  and  an  unnamed 
one)  labelled,  respectively,  by  e,  0,  0,  and  x;  and  two  (unnamed)  transitions 
labelled  by  X  (e  V)  and  {a}  (e  £),  respectively. 

3  With  F( x,y)  —  0  (resp.  1)  iff  (x,y)  ^  (resp.  €)F. 
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Figure  1:  Illustration  of  the  basic  definitions 


The  names  of  places  and  transitions  are  only  interesting  for  the  level  of  basic 
operations  on  causal  nets.  F'or  the  semantics  of  Box  expressions,  they  are  irrel¬ 
evant  because  on  this  level,  only  the  interface  expressed  by  the  labellings  and 
the  interconnection  structure  expressed  by  the  underlying  net  matters.  For  the 
latter  purpose,  we  can  call  two  net  elements  equivalent  if  they  have  the  same 
labels  and  the  same  environments. 

Two  places  s  and  s'  in  a  labelled  net  duplicate  each  other  if  A (s)  =  A(s')  and 
for  all  t  €  T,  both  VF(s,t)  =  IT(s',f)  and  W(t,  s)  =  W(t,  s').  The  duplication  of 
transitions  is  defined  similarly.  In  a  labelled  causal  net  two  different  duplicating 
elements  are  conditions;  this  follows  from  the  fact  that  no  condition  may  be 
branched.  Two  labelled  nets  Ei  =  (Si,Ti,W^,Ai)  and  £2  =  (S2,  Tj,  W2,  X2) 
will  be  called  renaming  equivalent  iff  there  is  a  sort-preserving  relation  p  C 
(Si  x  52)  U  (T\  x  T2)  such  that  p  is  (both  ways)  surjective  on  places;  p  is  (both 
ways)  surjective  on  transitions;  p  is  arc-(weight-)preserving;  p  is  label -preserving; 
and  p  is  bijective  on  hierarchical  transitions.  Figure  1  (ii)  shows  a  labelled  net 
which  is  p-equi  valent  to  the  one  shown  in  Figure  1  (i) .  As  a  consequence  of  the 
non-branching  of  conditions,  any  two  p- equivalent  labelled  causal  nets  have  the 
same  number,  or  cardinality,  of  events. 

3.2  Boxes  and  Box  processes 

Definition  3.1  Boxes 

A  Petri  Box  B  is  a  p-equi valence  class  B  =  [£],  such  that  £  =  ( S ,  T,  W,  A) 

is  a  labelled  net  satisfying: 

(i)  At  least  one  entry  place:  *£  ^  0. 

(ii)  At  least  one  exit  place:  £*  ^  0. 

(iii)  No  arcs  into  entry  places:  Vs  €  *£  Vt  €  T:  W(t,  s)  =  0. 
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(iv)  No  arcs  out  of  exit  places:  Vs  €  E*  Vf  €  T:  W(s,t)  =  0.  ■  3.1 

Since  the  properties  (i)-(iv)  are  independent  of  the  choice  of  a  representative  of 
[E],  this  definition  is  good.  In  fact,  similar  properties  of  representative  inde¬ 
pendence  hold  for  all  the  subsequent  definitions  whenever  they  involve  Boxes. 
We  shall  refrain  from  mentioning  this  explicitly;  but  as  a  consequence,  we  may 
allow  ourselves  some  freedom  in  referring  to  Boxes  and  their  representatives,  not 
always  making  a  clear  distinction  (for  instance,  ‘the  transition  t  of  a  Box  B’  is 
nominally  not  defined,  but  can  be  understood  as  referring  to  the  transition  t  of 
some  representative  of  B). 

Definition  3.2  Box  Processes 

A  Box  process  is  an  equivalence  class  7r  =  [tj],  where  renaming  equivalence 
is  restricted  to  labelled  causal  nets,  such  that  ij  =  (B,  E,  F,  A')  is  a  labelled 
causal  net  satisfying4: 

(a)  Min(rz)  is  a  B-cut. 

(b)  For  all  b  €  B:  A'(i)  =  e  iff  b  €  Minfo). 

(c)  For  all  b  €  B:  A'(6)  =  x  =►  6  €  Max(r/). 

7 r  is,  moreover,  called  complete  if  t)  satisfies: 

(d)  Max(»7)  is  a  B-cut  and  Vi  g  Max(»7):  A '(b)  —  x.  ■  3.2 

The  reason  for  the  asymmetry  in  clauses  (b,c)  is  that  we  allow  nonterminating 
processes;  terminating  ones  are  captured  by  clause  (d)  which  restores  the  sym¬ 
metry  of  the  definition.  For  the  same  reason,  we  do  not  require  property  (ii)  of 
Boxes.  The  properties  (i),  (iii)  and  (iv)  of  Boxes  are  automatically  satisfied  by 
(a,b,c)  and  the  special  properties  of  labelled  causal  nets;  property  (ii)  is  addi¬ 
tionally  satisfied  if  (d)  holds.  It  is  not  hard  to  see  that  properties  (a)-(d)  are 
robust  with  respect  to  />- equivalence;  thus  this  definition  is  again  good.  We  say 
that  7r  is  finite  if  the  representatives  of  ir  have  finitely  many  events;  according 
to  the  above  remark,  if  this  is  true  for  one  representative  then  it  is  true  for  all 
of  them,  so  that  the  notion  is  well-defined. 


4  Domain  1:  the  Box  Process  Algebra 

We  define  the  Bax  process  algebra  by  giving  its  domain,  i.e.,  the  set  of  possible 
elements  (section  4.1);  its  basic  elements  (section  4.1);  and  the  operations  on  the 
domain  (section  4.2).  In  section  4.3,  we  use  this  algebra  to  define  the  process 
semantics  of  Box  expressions. 

4The  Minima  and  Maxima  being  defined  with  respect  to  the  partial  order  -<  =  F+. 
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4.1  The  domain  SBP  and  its  basic  elements 

The  elements  of  the  Box  process  algebra  are  sets  of  Box  processes  (called  SBPs 
in  the  sequel): 

II  =  { 7r  1 7r  is  a  Box  process  and  if  ir  is  complete  then  it  is  finite}. 

The  interpretation  will  be  that  each  SBP  represents  a  set  of  possible  executions 
of  a  Box  expression.  Let  SBP  denote  the  domain  of  all  SBPs. 

We  need  one  basic  SBP  for  every  finite  communication  label  a  €  £,  namely 
Ho  =  (fooj.foi]},  where  rjo  =  ({*>},  M.Aq)  and  *71  =  ({6i,l>i}),  {eij.Fi.Aj) 
with  \'0(b)  =  e,  A'1(61)  =  e,  A [(%)  =  x,  Ai(ei)  =  a  and  Fx  =  {(61, ej),  ( eub 
Thus,  tjo  is  the  initial  process  that  describes  ‘no  action  as  yet’,  while  rji  is  the 
process  that  corresponds  to  a  complete  execution  of  a.  For  every  variable  X,  we 
need  a  similar  set  of  two  processes  called  IT*  and  defined  as  above,  except  that 
Ai(ei)  =  X. 

4.2  Operations  on  Box  process  sets 

In  this  section  -  the  core  of  this  paper  -  we  define  set  union,  constituent  union, 
concatenation,  iteration,  synchronisation,  restriction,  refinement  and  recursion 
on  the  domain  SBP.  This  relies  on  a  few  auxiliary  Petri  net  changing  operations: 
®  denotes  the  addition  (with  the  correct  connections,  which  will  always  be  clear 
from  the  context)  of  a  set  of  places  or  transitions,  the  labellings  of  which  have 
to  be  given  as  a  parameter  to  the  ©  operation;  ®  is  defined  between  subsets  of 
the  elements  of  two  nets  and  denotes  the  formation  of  the  symmetric  Cartesian 
product  yielding  sets  {x,  y}  where  x  is  from  the  first  subset  and  y  is  from  the 
second  subset;  ©  denotes  the  removal  of  places  or  transitions  together  with  their 
interconnections. 

The  domain  SBP  has  been  defined  in  such  a  way  that  all  its  complete  elements 
are  finite.  This  necessitates  a  proof  of  the  fact  that  none  of  the  operations  we 
are  about  to  define  lead  out  of  that  domain.  In  [8]  these  proofs  are  given. 

4.2.1  Union  of  SBPs 

The  first  operation  we  define  is  plain  set  union;  it  is  binary  and  creates  a  new 
SBP  II1UII2  out  of  two  given  SBPs  III  and  II2.  Being  a  set  theoretical  operation, 
it  can  be  extended  straightforwardly  to  more  than  two  arguments,  yielding  the 
union  (J~i  II*  for  a  set  of  arguments  {ni,Il2, . . .}. 

4.2.2  Disjoint  union  of  constituents  of  SBPs 

The  second  operation  we  define  is  disjoint  union  (or  juxtaposition)  of  con¬ 
stituents.  Let  III  and  II2  be  SBPs.  Then 


n  1 II IT2  =  {7ri||7T2  I  7Tl  e  III  A7T2  €  II2}, 
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where  for  it i  =  [771],  7r2  =  [772]  (and  771  and  772  are  w.l.o.g.  disjoint5)  we  define: 

will^a  =  [*7i  U»»] 

where  U  denotes  the  union  of  labelled  causal  nets.  Since  the  operation  ||  differs 
from  the  set  union  of  SBPs  and  will  be  used  to  describe  concurrent  composition, 
we  have  used  the  symbol  ||  instead  of  U  or  U. 

4.2.3  Concatenation  of  SBPs 

The  third  operation  we  define  is  concatenation.  For  an  SBP  II  let  IIC  denote 
the  set  of  complete  elements  of  II.  11-*  will  denote  the  set  of  processes  of  II  such 
that  all  x-labels  of  conditions  are  changed  into  0-labels. 

Let  III  and  II2  be  two  SBPs.  We  define 

ni;n2  =  (iii)_x  u  {it\\it2 1  it\  e  nf  a 7 r2  e  n2}. 

For  it  1  =  [771],  7r2  =  (772]  (771  and  772  w.l.o.g.  disjoint)  we  put  7Ti;7t2  =  [771;  772] 
and 


VuVi  =  (771  U 772)®  (Max(t7i)(8)Min(772))l)©(Max(771)UMin(772)) 

where  l{{bub^})  =  0  for  any  {fei,&2}  6  Maxfai)  ®  Minfo). 

The  formula  for  771;  772  means  that  771  and  772  are  first  juxtaposed  (771 U772,  together 
with  their  disjointness);  the  exit  conditions  of  771  (the  same  as  Max(77i)  because  of 
the  completeness  of  771)  are  multiplied  with  the  entry  conditions  of  772,  yielding 
a  new  set  of  places  that  are  connected  in  the  appropriate  way;  and  the  exit 
conditions  of  771  as  well  as  the  entry  conditions  of  772  are  removed.  The  new 
places  get  the  0  label.  This  construction  -  which  for  the  finite  case  coincides 
with  that  in  [10]  -  reappears  later  when  refinement  is  defined;  we  shall  give  an 
example  at  that  point. 

In  general,  7Ti;7r2  is  complete  iff  7r2  is  complete  [8].  One  may  define  a  natural 
prefix  relation  ■<  on  labelled  causal  nets:  771  ■<  772  if  there  is  a  cut  (a  maximal 
set  of  concurrent  elements)  in  772  such  that  771  lies  below  or  equal  that  cut.  In 
particular,  for  all  i  >  1,  771; . . . ; 77*  ©  Max(T7i)  ^  Also,  ;  is  an 

associative  operation  [8],  Therefore,  the  infinite  sequence 

OO 

*ri ! *2; 5Ts;-..=  Ll(77i;...;77f  ©Maxfo)) 

»=i 


is  well  defined. 

5,W.l.o.g.’  because  of  renaming  equivalence. 


4.2.4  Iteration  of  SBPs 


The  iterative  construct  [Ei  *  Ej  *  E3]  has  the  meaning  that  E 1  is  an  initial  Bax 
expression  that  may  be  executed  Mice,  after  which  zero  or  more  repetitions  of 
the  body  £2  may  occur,  after  which  exactly  one  execution  of  £3,  the  terminal 
expression,  can  complete  the  execution  of  the  entire  expression;  but  ‘once  £1 
and  then  infinitely  often  £2  ’  is  also  possible. 

Using  union  and  concatenation,  we  may  now  define  an  iteration  operator  on 
SBPs.  Let  III,  II2  and  II3  be  SBPs. 

n*1)  =  IIi 

n(i+i)  _  nt<);ii3  (for  »  >  1) 

n*  =  U£i(n(<);n3) 

II"  =  {7ri;7r2;7T3;  ...  1 7ri  €  IIi, iTj  €  Il2,i  >  2} 

ni*n2*n3  =  n*unu. 

4.2.5  Synchronisation  of  SBPs 

Synchronisation  of  a  Box  expression  does  what  is  often  viewed  as  an  integral 
feature  of  concurrent  composition,  that  of  effecting  the  synchronisation  over 
labels.  In  terms  of  the  Box  process  semantics,  it  adds  processes  to  the  already 
existing  ones  according  to  certain  criteria  related  to  the  communication  labels  of 
events.  In  terms  of  the  Box  semantics,  it  adds  transitions  to  an  already  existing 
Box  according  to  the  same  criteria  applied  to  the  labels  of  transitions,  rather 
than  events. 

The  main  idea  is  a  ‘repetition’  of  the  basic  CCS  idea,  which  calls  for  the  synchro¬ 
nisation  of  sets  of  transitions  over  pairs  (o,  a)  of  labels;  to  take  away  the  labels 
that  effect  the  synchronisation;  and  to  keep  all  the  other  labels.  Due  to  the  pres¬ 
ence  of  multisets  of  labels,  the  transitions  resulting  from  a  synchronisation  may 
carry  labels  that  can  continue  to  lead  to  further  synchronisations.  In  general, 
as  explained  in  (5],  the  multisets  of  transitions  that  may  synchronise  have  an 
underlying  tree  formed  by  pairs  (a,  a).  In  CCS,  this  tree  always  contains  only 
two  nodes  and  a  single  arc  since  the  multisets  considered  there  are  either  empty 
(r- action)  or  singletons;  but  in  the  Bax  expression  algebra,  the  synchronisation 
tree  may  be  arbitrary. 

For  instance,  consider  the  expression  ({a}||{o,o}||{o})  sy  0,  a  representative  of 
whose  Box  is  shown  in  Figure  2(ii)  (derived  from  the  Box  in  2(i)).  The  idea  in 
this  example  is  that  the  first  subexpression  {0}  can  synchronise  with  the  second 
subexpression  {6, 0}  (through  sy  o,  using  one  of  the  a’s  that  exist  in  the  second 
subexpression)  and  the  second  subexpression  can  also  synchronise  with  the  third 
subexpression  {0}  (through  sy  a,  using  the  other  a  of  the  second  subexpression), 
yielding  a  3-way  0-labelled  synchronisation.  The  set  of  transitions  describing 
this  synchronisation  is  r  =  {1, 2, 3}.  The  fact  that  this  set  of  transitions  can  be 
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synchronised  together,  can  be  described  by  the  formula  c(t)  >  |r|  - 1  where  c(r) 
counts  the  minimum  number  of  a’s  and  a’s  in  r  [5]. 


(i)  Sox({a} || {a,  a}||{d}) 


Figure  2:  An  example  of  multi-way  synchronisation 


The  next  definition  translates  the  synchronisation  operation  just  described  into 
an  operation  on  Box  process  sets.  Let  FT  be  an  SBP  and  a  €  A  an  action  name. 
We  define 

II  sy  a  =  (J  n  sy  a. 
nen 

For  the  definition  of  7r  sy  a,  assume  that  n  ~  [17]  with  rj  =  (B,  E,  F,  A').  Let  Ea 
be  the  set  of  events  of  r?  that  carry  an  a  or  an  a  in  their  label.  Let  r  C  Ea  be  some 
finite  nonempty  set  of  events  of  Ea.  Define  c(r)  as  the  minimum  of  the  sum  of  a 
names  and  the  sum  of  d  names  in  A'(r).  Now,  let  £  C  {r  C  Ea  |  c(r)  >  |t|  —  1} 
be  some  set  of  subsets  of  Ea,  called  a  synchronisation  set  of  events.  With  this 
we  define 

t?syfa  =  T]  ©  ( £,l )  ©  ((Jr) 

ref 

where  1(t )  comprises  the  multiset  sum  of  the  labels  in  t,  minus  |r|  —  1  times  the 
pair  {a,  a}  (because  that  is  just  the  set  of  pairs  that  have  effected  the  synchroni¬ 
sation).  The  net  tj  sy  sa  may  not  be  a  causal  net,  because  the  constituent  events 
of  the  sets  r  may  form  a  cycle.  Therefore,  we  restrict  the  synchronisation  sets 
under  consideration  and  define 

7r  sy  a  =  {(77  sy^oj  |  £  is  a  synchronisation  set  of  events  such  that 
V  sye<*  is  a  causal  net}. 

This  definition  guarantees  that  II  sy  a  is  indeed  an  SBP.  In  general,  synchro¬ 
nisation  is  conservative  on  complete  processes;  i.e.,  n  sy  a  is  complete  iff  n  is 
complete  [8j 


4.2.6  Restriction  of  SBPs 

Restriction  of  an  SBP  over  an  action  name  a  removes  those  processes  that  contain 
an  event  labelled  with  a  or  a.  Let  II  be  an  SBP  and  a  an  action  name.  Moreover 
let  Ea  be  the  set  of  events  of  a  causal  net  ij  =  ( B ,  E,  F,  A')  that  contain  an  a  or 
an  a  in  their  label.  We  define 

n  rs  o  =  n\  U(B,E,F,  A')]  €  II  |  Ea  ±  0}. 
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4.2.7  Refinement  of  SBPs 


(ii)  Refining  X  in  l(i)  by  (i)  (iii)  A  non-complete  process  of  Eh  =  (c||d) 


(iv)  Another  concrete  process  of  E\  =  (v)  Refining  X  in  (iv)  by  (iii) 

X-,(a\\b) 

Figure  3:  Illustration  of  the  definition  of  refinement 

We  define  the  processes  of  IIi[X  <—  II2]  by  taking  the  processes  of  Iii  and 
refining  all  X-labelled  events  in  them  by  processes  of  II2.  Figures  l(i)  and  3 
depict  one  of  the  possible  pitfalls  in  this  approach.  The  example  concerns  the 
Box  expression  Ei[X  *—  £3],  with  Ei  =  X\ (a||6)  and  E2  =  (c||d).  Figure 
l(i'  ej.-A  ts  a  representative  process  of  E\,  Figure  3(i)  shows  a  process  of  E2 
anc  «r  -e  3(ii)  the  result  of  refining  the  event  labelled  X  in  the  first  process 
by  the  second  process.  If  the  refining  process  is  complete,  the  definition  is 
straightforward.  However,  it  makes  no  sense  to  allow  the  X  in  l(i)  to  be  refined 
by  the  non-complete  process  shown  in  Figure  3(iii),  since  the  occurrence  of  event 
a  shows  that  X  has  been  ‘completed’.  By  contrast,  in  Figure  3(iv)  -  another 
process  of  E\  -  we  will  have  to  allow  the  refinement  of  the  X- labelled  event  into 
the  process  of  3(iii),  yielding  the  result  shown  in  Figure  3(v);  otherwise,  not  all 
processes  of  the  refined  expression  would  be  generated  in  this  compositional  way. 
It  is  not  hard  to  characterise  the  events  that  may  be  refined  by  non-complete 
processes:  they  are  the  maximal  ones;  in  Figure  l(i),  the  X-Iabelled  event  is 
not  maxima]  while  in  3(iv),  it  is.  The  definition  is  structured  accordingly.  Let 
Ui  and  II2  be  two  SBPs.  Let  wi  G  IIi,7r2  G  II2  and  7rj  =  [»7i ] ,  7r2  =  [172]-  For 
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r)i  =  (By ,  Ei ,  Fi ,  Ai )  we  define 

Eym  —  {e  e  £?i  |  Ai(e)  =  X  and  e  is  maximal} 

E*  =  {e  G  Et  |  Ai(e)  =  X}. 

In  the  following,  (a)  determines  the  proper  relationship  between  e  of  7/1  and 
rfi  for  a  refinement  of  the  former  by  the  latter  to  be  possible,  and  also  gives 
the  definition;  (b)  appeals  to  [4]  to  generalise  this  definition  to  simultaneous 
refinement;  (c),  finally,  gives  the  general  definition  of  IIi[X  <—  IIj], 

(a)  This  assumes  that  if  e  g  Ey\E?m  then  772  is  complete.  We  define 

©  (•e®*%,0 

©  (e*®r) $,I) 

©  (•eUe'U'T^UtjJ)  ©  {e} 

where  i({6i, =  A1(61)  for  new  conditions  {61,62}  with  bx  G  By. 

(b)  We  now  appeal  to  the  results  of  [4j  which  show  that  the  refinement  of  e 
by  tf2  and  the  refinement  of  e'  by  772  (both  e  and  e'  being  different  events 
of  the  same  process  771)  commute;  and,  more  generally  still,  that  one  may 
extend  the  whole  definition  to  the  simultaneous  refinement 

mO(,)  J], 

of  a  whole  (possibly  empty6  or  possibly  infinite)  set  of  events 
{eW  |  i  €  1}  C  Ey  -  provided  each  individual  refinement  *-  775^] 

is  valid  according  to  (a). 

(c)  Finally,  we  define  generally: 

IIi[X+-n2]  =  {Im[eW^i4i),i€/]]|{eW|<€/}  =  ^  and 
(771]  G  IIj  and  [t^]  is  some  element  of  IIj  } 

That  is,  we  require  that  oil  X -labelled  events  of  771  be  replaced  by  processes 
from  Ila-  This  may  introduce  new  X-labelled  events  if  the  processes  from 
II2  contain  such  events. 

4.2.8  Recursion  of  SBPs 

In  accordance  with  one  of  the  central  ideas  behind  the  Petri  Box  semantics, 
we  shall  interpret  recursion  as  the  limit  of  successive  refinements.  In  the  static 
Box  semantics,  the  Box  associated  to,  say,  fiX.(a;X,b)  is  symmetric  in  a  and 
6;  it  has  as  many  o-labelled  transitions  as  it  has  6-labelled  transitions  even 
though  only  the  former,  but  not  the  latter,  can  be  executed.  In  the  Box  process 
semantics,  this  symmetry  must  be  broken:  the  processes  of  nX.{a\X\b)  may 

6In  which  case  the  refinement  changes  nothing. 


contain  arbitrarily  many  (^labelled  events,  but  none  of  them  may  contain  any 
b-labelled  event.  The  if. .  .then  premise  of  part  (a)  of  the  definition  of  refinement 
is  the  technical  means  by  which  this  is  achieved. 

Let  II  be  an  SBP.  Define  a  sequence  of  SBPs  as  follows7: 

=  {[no]} 

nj+1  = 

fiX.n  =  {[  U  J=0*?j]  I  ho  :<  *71  :<•••.  foil  €  n^}. 

Note  first  that  none  of  the  processes  in  Uj,  and  hence  none  of  the  processes  in 
fiX.n  either,  may  contain  any  X-labelled  events. 

Figure  4  illustrates  this  definition8.  The  process  [770]  is  in  IIo  by  definition.  The 
other  processes  arise  out  of  each  other  as  follows: 

*71  =  7i[0  «-  Vo] 

*72  =n[e<-vi) 

m  =72[e<-Tfc], 

and  the  infinite  process  arises  as  the  union  of  the  finite  ones.  Note  that  the 
^-labelled  event  in  73  cannot  be  refined  at  all,  because  none  of  the  processes  in 
n;  is  complete. 

Other  interesting  expressions  on  which  this  definition  can  be  checked  are  fiX.X 
and  nX.(a\\X)  and  /*X.(aQ  a||X).  The  process  set  UfaX.X)  has  only  one  pro¬ 
cess  with  an  e-labelled  condition9.  The  second  process  set  Il(/xX.(a||X))  has 
an  isolated  e-labelled  condition  in  every  process.  It  also  has  an  infinite  process 
with  an  isolated  e-labelled  condition,  which  can  be  obtained  as  a  sequence  of 
prefix-related  processes  all  of  which  (including  the  very  first  one)  have  infinitely 
many  isolated  e-labelled  conditions.  In  this  way,  the  definition  is  consistent  with 
the  one  (on  Boxes)  given  in  [4j.  The  third  process  set  n(/iJ\T.(oDa||X))  has 
infinitely  many  terminating  finite  processes,  but  again  no  infinite  terminating 
process;  this  comes  from  the  fact  that  in  the  definition  we  use  prefix  ordering 
(rather  than  the  weaker  relation  of  net  inclusion,  which  is  also  a  partial  order 
on  labelled  causal  nets). 

4.3  Process  semantics  of  Box  expressions 

For  each  term  E  of  the  Box  algebra  defined  in  section  2,  we  are  now  able  to  define 
a  function  II  such  that  TI(E)  gives  the  set  of  partial  executions  (Box  processes) 
of  E.  Let  E,  E\,Ev,Ez  be  Box  expressions,  a  €  A  an  action  name  and  a  a 
communication  label. 

7The  net  *jo  consists  of  an  isolated  e-labelled  condition,  as  defined  in  section  4.1. 

8In  parts  (1)  and  (ti)  of  this  figure,  the  semantics  of  section  4.3  is  used. 

9  While  the  Bax  of  ftX.X  (section  5)  consists  of  two  isolated  conditions,  one  of  which  is 
e-labelled  and  one  of  which  is  x-labelled. 
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•  •  •  •  • 


OOOHZH-O1- 

*  b  ■  b  • 

(i)  The  Box  associated  to  the  expression  fiX.(a\  X;b) 


•  0 


OHOO^-HOO-* 

(ii)  A  process  of  the  Box  shown  in  (i) 


Vo  O 

•  •  f 

vi  CKK) 

•  «  ■  «  • 

m  OOHO-HIkO 


0  70 

«  ■  0 

00-0  vi 

•  •  •  X  * 

OOhO-EHO  72 

•  •  0  X  0  t  * 


73  OHDO>0-*0-*0~*0  C>OK)00*iII-,0 


73 


•  »  0  a  0  a  0 

OOhO-HZJ-O-^O^'O* 

(iii)  An  application  of  the  definition  to  obtain  the  process  (ii) 

Figure  4:  Illustration  of  the  definition  of  recursion 
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5  Domain  2:  the  Box  Algebra 

We  may  define  the  Box  algebra  in  a  similar  manner  as  before  by  defining  its 
domain  and  its  basic  elements  (section  5.1);  and  its  operations  (section  5.2). 
We  apply  the  approach  of  [4]  which  allows  us  to  be  relatively  brief,  because 
many  operations  can  be  based  on  refinement.  However,  we  can  only  outline  the 
definitions;  for  details,  the  reader  is  referred  to  [4,  5], 

5.1  The  domain  B  and  its  basic  elements 

The  elements  of  the  Box  algebra  are  the  Petri  Boxes  B  —  [EJ.  Let  B  denote 
the  set  of  Boxes.  Let  a  €  C.  The  Bax  Box(a)  which  offers  the  communi¬ 
cation  possibilities  of  a  in  a  single  transition  is  defined  as  follows:  Box{a)  = 
[({si,S2},  {f},{(si,f),(M2)},A)j  with  A(«i)  =  e,  A(s2)  =  x  and  A(£)  =  a.  A 
special  case  is  Box(0),  which  is  analogous  to  CCS’s  silent  action  r.  The  Box 
Box(X),  for  a  variable  X,  is  defined  similarly. 


5.2  Operations  on  Boxes 

5.2.1  Refinement 

Let  E[X  <—  E']  be  a  Box  expression  with  refinement.  Let  B  —  Box(E)  and 
B'  =  Box(E').  Any  representative  of  B  may  contain  transitions  with  labels  X. 
The  natural  semantics  of  the  operator  E[X  <—  E'~\  corresponds  to  the  refinement 
of  such  transitions. 

The  basic  idea  behind  transition  refinement  is  as  follows  [4,  16).  Let  t  be  an 
X-labelled  transition  in  some  representative  E  of  a  Box  B,  and  let  E'  be  a 
representative  of  a  Box  B  such  that  t  is  to  be  refined  by  E'.  By  our  basic 
properties  of  labelled  nets  and  of  Boxes,  we  have  that  t  has  at  least  one  pre¬ 
place  and  E'  has  at  least  one  e- labelled  place.  Hence  the  product  *t  <g>  *E'  is  not 
empty  and  can  be  used  in  the  refined  system;  a  similar  remark  is  true  for  the 
post-places  t*  of  t  and  the  exit  places  of  E'. 
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This  basic  idea  works  directly  if  there  is  a  single  X-labeiled  transition  t  whose 
pre-places  and  post-places  are  disjoint.  [4]  describes  a  significantly  generalised 
construction  which  works  if  there  are  arbitrarily  many  ^-labelled  transitions 
(including  the  case  of  infinitely  many);  if  X -labelled  transitions  are  contained 
in  side  conditions;  for  simultaneous  refinement  B[X  *—  B',Y  *—  B"]  (mean¬ 
ing:  refine  all  X-labelled  transitions  by  B',  and  simultaneously,  all  X- labelled 
transitions  by  B"),  and  generalisations  thereof. 

5.2.2  Sequence,  choice,  concurrent  composition  and  iteration 

These  Box  operations  may  be  based  on  simultaneous  refinement.  Let  B i,  B? 
and  B3  be  Boxes.  We  define 

BX;B2  -  B.{X  «-  BUY  «-  B2] 

BjOBa  =  BQ[X+-BUY*-Bx] 

Bi||B2  - 

[B\  *  Bi*  B3]  =  B.[X*-BUY  +-Bi,Z<-B3], 

B  j-j ,  Bj|  and  B*  are  the  Boxes  shown  in  Figure  5. 


v'S3,  V 

*0 

>:  The  basic  Boxes  for  sequence,  choice,  composition  and  iteration 

The  translation  of  iteration  using  the  Box  B*  shown  in  Figure  5  ensures,  by  the 
results  of  [12],  that  the  semantics  is  1-safe.  An  alternative  translation  that  may 
come  to  mind  (an  ^-labelled  transition  followed  by  a  side  transition  labelled  Y 
followed  by  a  Z-labelled  transition)  violates  1-safeness  in  cases  like  [a* (6||c) *d] . 
Indeed,  under  this  alternative  translation,  the  main  result  of  section  6.2  becomes 
wrong. 


where  B;, 

x 

0 

Y 

B. 

X 

Figure 


5.2.3  Recursion 

Let  fxX.E  be  a  recursive  expression.  The  intended  meaning  is  that  at  the  free 
X’s,  'E  is  called  recursively’.  Corresponding  to  the  fact  that  a  particular  kind  of 
syntactic  substitution  is  the  natural  way  of  describing  this  recursive  call  [1,  23], 
at  the  semantic  level  the  semantics  translates  into  a  succession  of  refinements. 
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Since  refinements  define  a  function  on  labelled  nets,  the  whole  approach  leads 
to  the  employment  of  fixpoints  [4]. 

The  basic  idea  is  the  following.  First,  we  construct  some  representative  E  of 
Box(E),  the  Box  associated  with  the  body  of  the  recursive  expression.  Next,  we 
define  an  initial  Box  representative  Eo  with  a  nonempty  set  of  entry  places  and  a 
nonempty  set  of  exit  places  and  nothing  else  (no  internal  places,  no  transitions); 
the  equivalence  class  of  Eo  is  called  a  stop  Bax,  as  it  cannot  terminate  (and 
cannot,  in  fact,  change  its  initial  state).  Then,  we  iterate  as  follows: 

E<+i  =  £[X  *-  E<]. 

As  an  example,  we  derive  the  Box  shown  in  Figure  4(i)  which  corresponds  to  the 
expression  nX.(a;X;b).  First,  a  three-transition  representative  E  of  the  body 
Box(a;X;b)  may  be  constructed.  Then,  as  the  zero’th  approximation,  we  may 
define  a  stop  representative  with  only  two  places,  one  entry  place  and  one  exit 
place.  The  X-transition  of  E  may  be  refined  by  this  latter  net,  yielding  the  first 
approximation  with  2  transitions.  The  X- transition  of  E  may  be  refined  again 
by  the  result,  yielding  the  second  approximation  with  4  transitions,  and  so  forth. 
The  limit  yields  the  representative  shown  in  Figure  4(i). 

5.2.4  Synchronisation  and  restriction 

The  effect  of  the  synchronisation  operation  B  sy  a  has  already  been  described 
in  section  4.2.5.  The  formal  definition  consists  of  adding  transitions  which  cor¬ 
respond  to  multisets  of  existing  transitions  such  that  the  minimum-formula  is 
satisfied,  which  is  a  criterion  for  the  multiset  in  question  to  be  a  valid  synchro¬ 
nisation  set.  Restriction  B  rs  a  has  an  opposite  effect;  it  removes  all  transitions 
that  have  an  a  or  a  d  in  their  label. 

Notice  that  these  operations  are  quite  different  from  those  of  sections  4.2.5  and 
4.2.6;  here,  they  add  (or  remove)  transitions  whilst  there,  they  add  (or  remove) 
processes. 

5.3  Box  semantics  of  Box  expressions 

With  these  definitions,  the  Box  semantics  Box(E )  of  a  Box  expression  E  can 
be  given  by  a  homomorphism  that  maps  expressions  and  their  operators  into 
Baxes  and  their  operations.  The  table  giving  this  definition  is  analogous  to  that 
of  section  4.3  and  will  be  omitted  here. 


6  Consistency 

Let  B  =  Box(E)  be  a  Box  with  a  representative  E  =  ( S ,  T,  W,  A).  The  standard 
initial  marking  of  E  is  the  marking  that  puts  one  token  on  each  e-labelled  place  of 
E  and  zero  tokens  on  all  other  places;  let  us  denote  by  ST(  E)  the  place/ transition 
system  so  defined.  The  results  of  J12]  imply  that  5T(E)  is  a  1-safe  marked  net10, 

10Because  B  derives  from  an  expression;  otherwise  1-safeness  is  not  guaranteed. 


Standard  Petri  net  theory  [3,  17]  allows  us  to  associate  a  set  of  processes  (causal 
nets  labelled  with  places  from  S  and  transitions  from  T,  and  hence,  by  proscy, 
also  with  elements  of  {e,  9,  x}  U  £  U  V)  to  ST(E). 

Two  questions  arise  naturally:  (1)  If  E  and  E'  are  two  representatives  of  B, 
what  is  the  relation  (if  any)  between  their  processes?  (2)  What  (if  any)  is  the 
relation  between  the  processes  of  representatives  of  B  and  the  Box  processes  of 
B  defined  in  section  4? 

6.1  Representative  independence  of  processes 

We  investigate  two  labelled  nets  Ei  =  (5j,Tx,  Wi.Ai)  with  standard  initial 
marking  A/je  and  E2  =  (S2,  T2,  W2,  A2)  with  standard  initial  marking  Af2e  which 
are  p-related.  The  first  step  is  to  lift  the  relation  p  from  the  places  of  the  two  nets 
to  their  markings.  This  relies  on  the  observation  that  all  markings  (the  initial 
ones  and  the  reachable  ones)  are  duplicate  respecting,  meaning  that  duplicate 
places  always  carry  the  same  number  of  tokens.  This  allows  to  turn  p  into  a 
bijection  on  the  two  reachability  graphs  of  ST(Ei)  and  ST( E2). 

The  second  step  is  to  consider  any  two  labelled  causal  nets  771  and  rfi  which  are 
renaming  equivalent  by  means  of  a  relation  p! .  Then  p  defines  a  bijection  both 
between  the  events  of  J7i,%  and  between  their  reachable  B-cuts  (the  process 
equivalent  of  reachable  markings) . 

The  third  step  is  to  consider  a  process  k\  —  (Bx,  E\,  Fi,pi)  of  ST{ Ei)  with  a 
function  pi :  Bx  U  Ex  -+  U  T\  which  describes  which  conditions  are  holdings 
of  which  places,  and  which  events  are  occurrences  of  which  transitions.  We  may 
associate  to  /«i  a  labelled  causal  net  f7(«i)  =  (Bx,  E\,  F\,p\  o  Ax)  (pt  o  Ax  is  the 
‘by  proxy’  labelling  of  «x  inherited  from  Ex).  The  first  main  theorem  shows 
that  «x  is  p'-equi valent  to  some  process  k2  of  E2,  completing  a  diagram  that 
commutes  both  in  terms  of  events/transitions  and  in  terms  of  B-cuts/markings. 

Theorem*^.  1  Representative  independence 

With  the  notation  as  above,  there  exists  a  process  /c2  =  (B2,  B2,  B2,p2)  of 
ST( E2)  and  a  relation  p'  such  that 

(a)  the  labelled  causal  nets  tj(k x),  77(^2)  associated  to  «x  and  (similarly)  to 
K-z,  respectively,  are  p' -related. 

(b)  For  all  ex  €  Ei  and  e2  €  fy:  t/e2  €  p'{e x)  then  (pi(ex),p2(e2))  €  p. 

(c)  For  all  reachable  B-cuts  cx  of  k  1  and  c2  of  «2 :  if  c2  =  p'{c\)  then 
P2(c2)  =  p(pi(cx)). 

In  part  (c)  of  the  theorem,  we  use  the  notation  p(c)  to  denote  the  marking 
corresponding  to  c  via  p.  Parts  (b)  and  (c)  relate  back  to  the  fact  that  p'  (by 
part  (a))  defines  a  bijection  on  events  and  on  B-cuts.  This  result  has  a  number 
of  corollaries.  We  state  some  of  them. 
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Corollary  6.2 

For  every  occurrence  sequence  of  ST( Ei)  (M ie  =  Mo)  there  exists  a  corre¬ 
sponding  occurrence  sequence  of  ST(  £2)  (M^e  —  M(). 

The  event  pomsets  ofST(Yl  1)  and  the  event  pomsets  of  ST (E2)  are  isomor¬ 
phic  to  each  other. 

If  Ei  and  E2  are  two  representatives  of  the  same  Box  B  then 

{[*?(K)I  |  k  is  a  process  of  ST{ Ei)}  =  {(tj(k')]  j  «'  is  a  process  of  ST( £2)} 

where  [t?(k)]  denotes  the  Box  process  associated  with  T)(k)  (Definition  3.2/ 

■  6.2 

The  last  part  of  this  corollary  allows  us  to  associate  a  set  of  Box  processes  11(B) 
uniquely  to  any  Box  B,  by  choosing  an  arbitrary  concrete  representative  E  of  B, 
evaluating  its  processes  k,  the  associated  labelled  causal  nets  t/(k)  and  forming 
their  p-equivalence  classes.  In  particular,  we  may  thus  associate  a  set  of  Box 
processes  II(Box(B))  uniquely  to  every  Box  expression  E,  which  may  or  may 
not  be  different  from  the  set  n(E);  by  the  next  result,  it  is  not. 

6.2  Consistency  between  the  indirect  and  the  composi¬ 
tional  semantics 

Theorem  6.3 

LetE  be  a  Box  expression.  Then  11(B)  =  n(Box(B)),  wher  11(B)  tj  defined 
in  section  4.3  and  II (Box(B))  ts  defined  following  corollary  6.2. 

The  proof  is  by  structural  induction  on  the  syntax  of  Box  expressions  [8j. 


7  Concluding  Remarks 

Figure  6  summarises  the  main  ideas  and  results  of  this  paper.  Starting  from  an 
expression  E  one  may  define  its  processes  11(B)  directly  (first  vertical  line).  One 
may  also  define  them  indirectly  (first  horizontal  line;  second  and  third  vertical 
line).  The  auxilia  results  of  section  Sct.6.1  state  that  the  indirect  definition 
is  representative  independent.  The  main  result  of  section  Sct.6.2  states  that  the 
diagram  commutes. 

The  paper  [20]  extends  the  framework,  the  definitions  and  the  results  of  this 
paper  to  the  compositional  construction  of  the  branching  processes  [13]  of  a  Box 
expression.  Work  is  furthermore  in  progress  to  use  the  process  semantics  and  the 
branching  process  semantics  in  order  to  define  and  compare  various  behavioural 
equivalence  notions  that  may  be  defined  on  the  Box  expression  algebra. 
Although  the  operations  we  have  defined  on  Box  processes  have  been  inspired  by 
prior  work  such  as  that  of  Cherkasova  and  Kotov  [10]  and  Pratt  [25],  there  are 
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j  Set. 6.1 

Processes  Processes 

of  5T(E)  ~  of  ST(E') 

1  I  Set. 6.1 


n(£?)  -  n  (Box(E)) 

Set. 6. 2 

Figure  6:  Summary  of  the  main  results 


substantial  differences.  The  paper  by  Cherkasova  and  Kotov  does  not  deal  with 
iteration  or  recursion.  Pratt’s  pomsets  are  event-based  rather  than  process- 
based,  whence  his  framework  does  not  lend  itself  to  our  purposes.  Moreover, 
our  operators  are  partly  different,  and  the  type  of  result  we  have  aimed  for 
(consistency  with  standard  Petri  net  semantics)  has  not  been  investigated  by 
Pratt.  A  more  extensive  discussion  of  the  relationship  between  our  approach 
and  other  work  can  be  found  in  [5]. 
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Abstract 

The  paper  addresses  the  specification  of  reactive  behaviour  for 
event-based  models.  We  are  concerned  with  a  framework  for  such 
specification  rather  than  with  a  particular  style  of  specifications. 

Our  main  observation  is  that  a  logic  of  events  is  needed  as  well  as 
a  logic  of  actions.  The  former  prescribes  in  fine  detail  how  compu¬ 
tations  proceed  while  the  latter  provides  generic  scripts  for  events, 
to  happen.  The  analogy  is  that  of  procedures  and  procedure  calls 
at  runtime  (=  events).  We  claim  that  both  logics  are  inherently 
interrelated,  in  particular,  if  “true  concurrency”  is  to  be  specified. 

In  order  to  specify  reactive  behaviours  we  propose  a  logic  of 
actions  on  top  of  a  new  model  called  event  automata ,  focusing  on 
the  ingredients  that  such  a  specification  method  should  provide. 

1  Introduction 

A  reactive  system  constantly  interacts  with  its  environment  by  reacting 
to  incoming  stimuli  that  may  arrive  at  any  stage  of  the  computation. 
In  this  paper,  we  discuss  the  minimal  ingredients  to  be  provided  by  a 
specification  methodology  which  is  based  on  “true  concurrency”  models. 

*Work  partially  supported  by  the  German  Ministry  for  Science  and  Technology, 
Verbundprojekt  KORSO,  subproject  “Design  of  Reliable  Reactive  Systems”  (grant 
No.  ITS  900  1A7). 

*New  address:  Dipartimento  di  Matematica,  Universita  degli  Studi  di  Siena,  Via 
del  Capitano  15,  1-53100  Siena,  Italy 
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The  choice  of  the  basic  model  is  crucial.  We  have  introduced  event 
automata  as  a  very  basic  model  of  reactive  behaviour  [12].  This  model 
subsumes  familiar  event-based  models  such  as  prime  event  structures,  flow 
event  structures,  general  event  stri  ctures  as  well  as  geometric  automata. 
These  can  be  accommodated  compositionally,  meaning  that,  for  instance, 
synchronization  operators  can  be  defined  which  exactly  correspond  to 
those  defined  for  the  other  models. 

The  definition  of  event  automata  is  simple  if  compared  with  other 
event-based  models.  This  is  achieved  by  focusing  on  behaviour  only. 
Other  models  present  behaviour,  with  behaviour  typically  being  given 
in  terms  of  configuration  spaces.  Let  us  review  our  basic  definition. 

Definition  1  A  n  event  automaton  £  —  (E,St,\-,ev)  consists  of 

•  a  set  E  of  events, 

•  a  set  St  of  states  such  that  ev(s)  C  E  for  all  s  6  St,  and 

•  a  transition  relation  s  h  s'  such  that  ev(s')  =  W  {e}1  for  some 
event  e  6  E. 

Usually,  we  assume  ev(s)  to  be  finite. 

A  state  of  an  event  automaton  represents  a  (possibly  partial)  com¬ 
putation  of  a  concurrent  system  and  a  transition  relation  between  states 
describes  how  computations  proceed.2  As  a  minimal  requirement,  we 
keep  track  of  the  events  which  have  occurred  so  far.  These  are  recorded 
by  the  set  ev(s)  for  every  state  s.  Moreover,  every  transition  corresponds 
to  the  occurrence  of  some  event.  The  definition  implies  that  an  event 
can  occur  only  once  in  a  trace  of  the  system.  Throughout  the  paper  we 
maintain  the  basic  assumption  of  event-based  systems  that  events  are 
instantaneous  and  indivisible,  and  that  they  occur  only  once  in  a  compu¬ 
tation.  We  do  not  subscribe  to  the  other  requirement  of  event  structures 
that  an  event  can  only  occur  once  in  all  computations.  An  example  may 
highlight  the  difference. 

The  automaton  in  figure  1  cannot  be  a  family  of  configurations  [18] 
of  an  event  structure:  both  the  events  a  and  b  are  enabled  without  pre¬ 
conditions,  i.e.  h  a  and  h  b.  Hence,  by  the  monotonicity  axiom  ‘Y  h  a 

*We  use  the  notation  X  CtJ  {e}  to  state  that  X  U  {e }  is  a  disjoint  union  of  .Y  and 

{e}. 

2As  a  remark,  reachable  states  are  generated  by  initial  states.  We  consider  as 
reachable  states  those  s  €  St  such  that  s,n  h*  s,  where  I-*  is  the  transitive  and 
reflexive  closure  of  1-  and  s,„  is  an  initial  state.  Of  course  we  have  first  to  say  which 
states  are  initial.  Reach(£)  denotes  the  subautomaton  of  reachable  states. 
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Figure  1:  An  example  where  reachability  is  not  monotonic 

whenever  Ah  a  and  X  C  Y'  inherent  in  all  definitions  of  event  struc¬ 
tures,  there  should  be  a  move  {&}  — ►  {a, 6},  which  one  may  want  to 
avoid.  Inclusion  coincides  with  transition  in  event  structures  because  of 
the  monotonicity  rule.  In  consequence,  every  event  can  occur  only  once 
in  all  computations.  Pragmatically,  we  may  say  that  a  and  b  are  in  asym¬ 
metric  conflict. 

In  order  to  specify  reactive  behaviour,  the  following  appears  to  be  a 
minimal  set  of  properties  to  be  captured: 

•  Consistency.  A  set  of  events  is  consistent  if  and  only  if  all  the 
events  in  this  set  may  coexist  together.  Inconsistencies  may  arise 
if  we  try  to  extend  a  computation  with  an  event  which  is  in  con¬ 
flict  with  another  present  in  the  computation.  We  can  then  specify 
ton  licts  by  means  of  an  irreflexive  relation3. 

•  Dependency  between  events.  Dependency  between  events  is 
usually  identified  with  causality:  an  event  e'  causally  depends  on  an 
event  e  if  and  only  if  every  computation  containing  e'  contains  also  e. 
Since  the  definition  refers  to  the  overall  behaviour,  causality  appears 
to  be  more  a  matter  of  observation  a  posteriori  than  a  matter  of 
specification  a  priori.  For  specification,  the  notion  of  enabling  is 
more  appropriate:  the  notation  4>  \-  e  states  that  an  event  e  may 
occur  if  the  formula  (j>  holds. 

Specification  only  in  terms  of  events  is  often  too  fine-grained:  if  we 
type  20  ‘a’s  on  a  typewriter,  we  have  20  different  events,  namely  ‘typing 
the  i-th  a’,  but  all  events  correspond  to  the  same  action  ‘typing  an  a’.  A 
system  should  be  specified  in  terms  of  actions  which  we  consider  as  being 
generic  scripts  for  determining  the  evolution  of  the  system. 

The  question  arises  of  how  to  associate  events  to  actions,  actions  being 
used  for  specification  while  the  actual  behaviour  of  a  system  is  defined  in 

3 Usually  the  conflict  relation  is  also  symmetric,  but  then  we  have  problems  in  spec¬ 
ifying  a  situation  where,  though  the  events  are  in  conflict,  they  may  occur  in  the  same 
computation,  provided  that  a  certain  order  is  respected. 


terms  of  events.  The  nature  of  an  answer  depends  on  the  specific  com¬ 
putational  model,  e.g.  states  having  a  memory  and  actions  changing  the 
memory  with  concurrent  processes  sharing  the  memory,  or  communica¬ 
tion  being  achieved  by  synchronization  of  events.  The  variety  of  models 
envisaged  suggest  to  look  for  a  framework  for  specification  rather  than 
for  a  specific  style  of  specification.  We  propose  conditions  for  such  a 
framework  in  section  4. 

We  should,  however,  keep  in  mind  that  we  ultimately  want  to  specify 
event-based  behaviour.  A  logic  of  actions  should  map  down  to  a  logic  of 
events.  Section  3  will  analyze  the  ingredients  of  the  latter.  Specifically, 
we  investigate  the  compositionality  of ‘event  specification’  with  regard  to 
synchronization  operators. 

Section  2  restates  some  results  about  “pure  event  automata”,  and 
some  preliminary  conclusions  are  stated  in  section  5. 

2  Synchronization  of  Pure  Event  Automata 

A  ‘logic  of  events’  refers  to  behaviour  only  in  terms  of  events.  Hence  we 
restrict  our  attention  to  event  automata  the  states  of  which  are  sets  of 
events. 

Definition  2  A  pure  event  automaton  €  =  {E,St,  h)  consists  of 

•  a  set  E  o/ events, 

•  a  set  St  of  states  such  that,  for  all  X  6  St,  X  is  a  finite  subset  of 
E,  and 

•  a  transition  relation  X  h  Y  such  that  Y  =  X  W  {e}. 

It  is  well  known  that  synchronization  operators  can  be  defined  in 
terms  of  partially  synchronous  products  and  restriction4  [19].  We  recall 
the  definitions  and  results  of  [12,  13]. 

Definition  3  A  ( partially  synchronous)  homomorphism  h  :  £  — *•  £'  of 
event  automata  consists  of  a  partial  mapping  h  :  E  —*  E'  on  events  such 
that  all  the  infrastructure  is  preserved,  i.e. 

•  h(X)  6  St'  ifXe  St, 

•  h  is  injective  on  all  states,  meaning  that,  for  all  x,y  €  X  €  St,  if 
h(x)  and  h(y)  are  defined,  and  h(x)  =  h(y),  then  x  =  y,  and 

4If  the  events  are  labeled,  then  the  relabeling  operation  plays  a  major  role. 
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•  h(X)  h  /»(A")U  {/i(e)}  if  X  \~  X  1+)  {c},  and  if  h(e)  is  defined, 
where  h(X)  =  { h(x )  6  E' :  x  €  X  and  h(x)  is  defined}. 

Injectivity  on  states  guarantees  that  every  transition  coincides  with  an 
event,  and  that  h(X)  h  h(X)  U  {h(e)}  =  h(X)  W  {/i(e)}.  Pure  event 
automata  and  their  morphisms  form  a  category. 

The  partially  synchronous  product  of  two  event  automata  is  defined 
by: 

Definition  4  The  product  Si  f]  £2  of  event  automata  S\  and  £2  is  defined 
by  ( E ,  St,  h)  where 

•  E  =  E\  x,f?2  =  Eili(Ei  x  E2)uE2,  and  the  projections  7r,  :  E  — ►  2?, 
are  partial  mapping  defined  by  ?r,(ei,e2)  =  e,,  7r,(e,)  =  e,  if  e,  6  E{ 
for  i  =  1,2. 

•  X  €  St  iffiri(X)  €  Sti  and  jt2(X)  6  St2,  and  if-Ki  and  7r2  restricted 
to  states  are  injective, 

•  X  h  X  U  {e}  iff  X  is  a  state,  and  if  tti(.Y)  P  7rx(X)  l+l  {^(e)} 
whenever  iri(e)  is  defined,  and  if  tt2(.Y)  I-  7r2(X)l+l{7r2(e)}  whenever 
7r2(e)  is  defined. 

Proposition  5  [12,  13]  The  product  of  two  pure  event  automata  is  a 
categorical  product. 

The  restriction  operator  is  defined  by5 

Definition  6  Let  S  be  an  event  automaton  and  let  h  :  E'  — »  E  be  a 
partial  mapping.  Then  we  can  construct  an  event  automaton  h*(£)  =■ 
(E',St’y)by 

•  St'  =  {X  C  E' :  h(X)  €  St  and  h  is  injective  on  X},  and 

•  X  H  X  W  {e}  if  h(e)  is  undefined,  or  if  h(X)  h  h(X)  W  {/i(e)} 
otherwise. 

Note  that  h  :  h*(£)  — *  £  is  an  homomorphism  of  event  automata. 

Synchronization  operations  are  obtained  by  a  combination  of  product 
and  restriction.  The  use  of  restriction  avoids  a  more  complicated  direct 
definition  (see  [18]). 

*The  definition  is  slightly  mote  general  than  necessary  in  that  one  usually  restricts 
attention  to  inclusions. 
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Definition  7  Let  £\  and  £2  be  two  event  automata  and  let  A  C  E\  x  E? 
be  a  set  (the  synchronization  set).  Define  £\  ||^  £2  =  \m(£\  fl  £2)  where 
A  :  A  U  (Ei  \  Ai)  U  (E2  \  >(2)  — *  E\  x»  E2  denotes  the  embedding  with 
Ai  =  Xi{A)  for  i  =  1,2. 

The  definitions  naturally  subsume  those  for  (prime,  flow)  event  struc¬ 
tures  as  demonstrated  in  [13]  but  as  well  allow  to  define  synchronization 
of  trace  automata  (here  an  admissible  state  is  the  set  of  prefixes  of  a 
trace)  or  Mazurkiewicz  traces  [7]. 

3  A  Logic  of  Events 

The  basic  ingredients  of  a  pure  event  automaton  to  be  specified  are  the 
states  and  the  transition  relation. 

Properties  of  states  may  be  stated  in  terms  of  a  simple  logic  with 
atomic  predicates  e  which  assert  that  an  event  e  has  occurred:  a  state  X 
satisfies  the  predicate  e,  notation  X  |=  e,  if  e  is  an  element  of  X .  Then 
a  state  can  be  characterized  by  a  (finite)  conjunction  of  such  atomic 
formulas  where  a  conjunction  is  defined  by  the  usual  scheme.  We  may 
easily  introduce  more  logical  infrastructure,  for  instance  c  o  -V,  which 
states  that  e  and  e'  are  inconsistent.  A  candidate  for  such  a  log. .  may  be 
the  geometric  logic  introduced  in  [4]. 

Similarly,  atomic  predicates  of  the  form  4>  I-  e  may  be  used  to  specify 
enabling  of  the  event  e  in  that  JI-A’U  {e}  whenever  X  \=  (f>  and  e  $  X . 
We  are  here  not  so  much  concerned  with  details  in  style  but  to  stress 
the  distinction  between  specifications  and  the  automata  which  satisfy  a 
specification. 

Definition  8  •  We  assume  the  existence  of  some  appropriate  “logic 

of  events ”  which  allows  the  statement  that  a  finite  set  X  C  E  of 
events  satisfies  a  formula  cj>,  in  short  X  |=  4>.  The  formulas  are 
“typed”  by  E  in  that  the  respective  set  of  events  is  well  understood. 

•  A  specification  Spec  over  events  E  consists  of  a  set  of  state  formulas 
<f>,  and  a  set  0/ event  declarations  t/>  I-  e  where  <t>,4 >  are  of  type  E, 
and  where  e  €  E. 

•  Let  £  =  (E,  St,\~)  be  an  event  automaton.  Then 

(i)  £  \=  4>  if ,  for  all  states  X  €  St,  X  f=  <f>,  and 

(ii)  £,x(>  \=  e  if,  for  all  states  A”  €  St,  X  1-  A'  W  {e}  whenever 
X  j=  ifr  and  e  £  X. 
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£  satisfies  a  specification  Spec,  notation  £  (=  Spec,  if  £  (=  <f>  for  the 
state  formulas  4>  in  Spec,  and  if  £,?/>  e  for  all  event  declarations 
ip  h  e  in  Spec. 

This  definition  is  parametric  in  the  “logic”  used.  We  concentrate 
on  the  structure  of  the  specification  and  on  the  satisfaction  of  a  given 
specification,  rather  then  trying  to  capture  all  these  notions  in  a  logic. 
The  choice  of  a  specific  logic  is  dependent  on  the  nature  of  the  problem 
to  be  analyzed. 

In  general  there  might  be  more  than  one  automaton  which  satisfies  a 
given  specification,  quite  in  contrast  to  the  usual  approach  where  “reach¬ 
able”  automata  are  considered.  Enabling,  however,  provides  a  certain 
degree  of  “liveness”  for  every  automaton  satisfying  a  specification  in  that 
an  event  can  happen  if  it  is  enabled. 

Proposition  9  For  every  specification  Spec  of  type  E  there  exists  a  min¬ 
imal  reachable  automaton  Min(Spec)  of  type  E  such  that  M in(Spec)  |= 
Spec. 

More  precisely,  for  every  automaton  £  such  that  £  f=  Spec  there  exists 
a  unique  homomorphism  i  :  Min(Spec)  Reach(£).  Min(Spec)  is 
constructed  thus:  If  0  ^  <f>,  then  this  is  the  empty  automaton.  Otherwise 
it  is  generated  by  (1)  0  is  a  state,  and  (2)  whenever  X  is  a  state,  and  there 
exists  some  event  declaration  if  b  e  such  that  X  (=  y  and  X  1+1  {e}  (=  <p, 
then  X  1+1  {e}  is  a  state,  and  A'  H  A’  li)  {e}. 

Some  compositionality  results  may  be  achieved  even  on  this  level  of 
abstraction,  provided  we  add  to  the  logic. 

Definition  10  Let  <f>  be  a  formula  of  type  E' .  and  let  h:  E  —  E'  be  a 
partial  mapping.  Then  h*<f>  is  a  formula  of  type  E.  and,  for  all  X  C  E. 
let  X  (=  h*4>  iff  h( X)  (=  <p  and  h  is  injective  on  X . 

Proposition  11  For  all  event  automata  £'  of  type  E' ,  and  for  all  partial 
mappings  h  :  E  — *■  E' , 

(i)  h*{£')  (=  h*4>  if  £'  J=  <t>,  and 

(ii)  h*(£'),h*tp  |=  e  if  £',  ip  }=  h(e),  provided  that  h(e)  is  defined. 

If  h  is  surjective  on  states,  the  converse  statements  hold. 

Corollary  12  •  Let  h*Spec  denote  the  specification  with  state  formu¬ 

las  h*<f>  and  event  declarations  h *%fr  I-  e  such  that  <p  and  if  I-  h(e), 
if  h(e)  is  defined,  are  in  Spec.  Then  h*(£')  |=  h*Spec  whenever 
£  ^  Spec. 
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•  If  £  h*Spec  then  h(£)  is  well-defined,  and  h{£)  )=  Spec,  where 
h(£)  has  states  h(X)  with  X  being  a  state  of  €,  and  transitions 
h(X)  f-  h(Y)  if  X  h  Y  in  E. 

Proposition  13  Let  X  \=  <f>  h  ip  if  X  \=  <t>  and  X  \=  tp.  Define  the 
specification  Spec\  n  Spec2  to  consist  of  the  state  formulas  [7ri]<£i  A^jfo 
and  the  event  declarations 

[it i\4>i  I-  e  if  TTi(e)  is  defined,  jr2(e)  is  not  defined,  and  fa  h  7ri(e)  is 
in  Speci 

\1t2\fa  b  e  if  X2(e)  is  defined,  n \{e)  is  not  defined,  and  fa  b  is 

in  Spec2 

A  [^2)fa  I ~  e  if  both  tri(e)  and  n2{e)  are  defined,  and  fa  t-  n ,(e) 
is  in  Spec ,  for  i  =  1,2. 

Then 

(i)  £1 11^2  f=  Speci  n  Spec?  iff  £\  j=  Speci  and  £2  |=  Spec2,  and 

(ii)  If  £  |=  Speci  \[Spec2  then  ft\(£)  |=  Speci  and  7r2(£)  \=  Spec2- 

The  results  support  modular  specifications  involving  synchronization 
operators  provided  the  “logic”  satisfies  the  requirements  for  X  [=  <f>. 

In  designing  a  concrete  logic,  a  possible  choice  may  be  thus:  for  every 
event  e  €  E,  let,  ambiguously,  e  denote  a  predicate  such  that  X  b  e  iff 
e£l.6  We  may  as  well  add  negation  by  X  (=  -up  iff  X  ^  4>-  Then  we 
can  specify  inconsistency  of  events,  e  O  ->e',  or  asymmetric  conflicts  as 
mentioned  in  the  introduction:  ->e  b  e'  implies  that  an  occurrence  of  e 
prohibits  the  one  of  e'  (but  not  vice  versa). 

As  an  example  we  consider  a  protocol,  which  is  informally  specified  by 
the  figure  2.  Two  agents,  namely  “A”  and  “B”  communicate  by  means  of 
a  channel  “K”.  C  stands  for  “connect”,  D  for  “data”  and  R  for  “release”. 
The  agent  “A”  may  request  a  connection  (CT€q  ).  The  agent  “B”  responds 
by  events  (  C,ne*  and  Crsp),  and  “A”  receives  an  acknowledgment  (Ccnj). 
The  same  procedure  applies  for  release.  Moreover,  the  agent  “B”  may 
send  a  data  packet  ( Dreq ),  or  not,  which  is  received  by  A  (And)-  The 
data  packet  should  be  received  by  A  before  the  release  of  the  connection 
is  confirmed  (j Ren/)- 

We  give  the  specification  of  the  agents  and  of  the  channel: 

®In  combination  with  conjunction,  this  allows  us  to  specify  the  enabling  relation  of 
arbitrary  event  structures. 


Agent  A 

Agent  B 

Channel  K 

Declarations 

Declarations 

Declarations 

b  Creq 

b  Cind 

b  Creq 

Creq  Ccn f 

Cind  Crsp  ' 

C req  Cind 

Cenf  A  —<Rcn f  b  Dint 

Crsp  A  ~*Rind  Dreq 

b  Crsp 

CCnJ  Rreq 

Crsp  Rind 

Crsp  Ccnf 

Rreq  R cnj 

Rind  Rrsp 

Dreq 
Dreq  Dind 
•"  Rreq 
Rreq  ^  Rind 
Rrsp 
Rrsp  Ren  f 

the  negation  is  used  to  specify  that  an  asymmetric  conflict  between  the 
sending  (receiving)  of  a  data  and  the  release  of  the  connection  exists. 

We  can  now  synchronize  the  corresponding  events  of  agent  A  and  the 
channel  K,  and  then  compose  with  agent  B  to  obtain  (modulo  renaming) 
the  specification 
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Protocol 


Declarations 


I -c, 


rtq 


C*  b  cind 


C°p  A 

CtS  A  D*q  A 


crsp 

Crtq  A  C*  h  Cr 

B  *-rb 


cn  / 

I"  DT 
•"  Dind 


CfnJ  ^  Rreq 
CBp  A  Rreq  h  Rind 
Ktd  »"  RrsP 
Rreq  A  Rr,v  b  Ren ) 


The  following  notational  conventions  are  used:  the  superscripts  of  the 
predicates  indicate  the  origin,  e.g.  C*eq  refers  to  the  event  CTeq  of  A.7 
Since  only  events  with  the  same  names  are  synchronized,  we  replace  e.g. 
(C£.q,Cj),q)  by  CTeq.  The  injectivity  conditions  for  transformed  predi¬ 
cates  are  trivially  satisfied.  Actually,  one  might  strip  off  the  superscripts 
altogether  because  of  this  specific  nature  of  the  example. 

Another,  more  sophisticated  example,  is  Hoare’s  trace  logic  [5].  Let  A 
be  a  set  of  actions.  Formulas  of  Hoare’s  logic  state  properties  of  traces  w  € 
A*.  E.g.  for  the  famous  vending  machine,  the  formula  #chocs  <  #coins 
states  that  always  more  coins  are  inserted  than  chocolates  delivered  in  an 
admissible  trace  (=  computation).  Traces  are  events  in  our  terminology.8 
The  corresponding  event  (trace)  automata  have  states  Pref(ic)  being  the 
set  of  prefixes  of  the  trace  w  (we  refrain  from  capturing  this  by  a  state 
formula).  Trace  formulas  implicitly  define  an  enabling  relation  in  that 
w  1-  wa  whenever  wa  is  an  admissible  trace.  The  “formula”  w  in  w  I-  wa 
checks  for  presence  of  the  trace  w  as  maximal  trace  in  a  set  of  events.9 

We  claim  no  elegance  in  this  translation;  one  should  stick  to  Hoare’s 
style.  But  a  detail  is  noteworthy  after  all:  Hor.re’s  logic  refers  to  events 
and  not  to  actions  as  basic  semantic  entities.  In  fact,  more  elaborate 
versions  of  his  logics  using  refusal  sets  [5]  or  ready  sets  [9]  mix  references 
to  events  and  actions.  The  “ready  set  semantics”,  in  particular,  compares 
well  to  our  framework  in  that  <f>\~  a  can  be  used  to  declare  the  action  a 

7Cfeq  abbreviates  the  formula  [sv»i2][*'i][s3/'»i][*'i]CVe,j  where  [sj/ni]  denotes  the 
transformation  synchronizing  A  and  K ,  and  [syn2]  synchronizes  the  synchronized  prod¬ 
uct  of  A  and  K  with  B.  The  projection  in  the  middle  being  used  for  the  construction 
of  the  product.  The  example  is  extensively  uiscussed  in  [13], 

®Note  the  compliance  with  the  stipulation  of  events  occurring  only  once  in  a 
computation. 

Concerning  synchronization  operators,  there  are  a  lot  of  subtleties  involved,  which 
we  comment  on  further  below. 
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to  be  “ready”  if  the  formula  <t>  holds.  We  resume  this  theme  in  the  next 
section. 

4  Towards  a  Logic  of  Action? 

4.1  A  Taxonomy  of  Actions 

Specification  in  terms  of  events  is  somewhat  limited  in  that  events  occur 
only  once  in  a  computation.  One  would  prefer  think  in  terms  of  actions 
which  may  occur  repeatedly  during  a  run  of  a  system.  For  instance,  if 
we  slightly  modify  the  protocol  example  to  allow  several  data  packets  to 
be  sent,  we  have  to  introduce  two  events  Din<i  and  Dreq  for  data  packets, 
though  the  events  are  indistinguishable  from  an  external  point  of  view. 
Actions  relate  to  events  as,  for  instance,  procedures  do  to  run-time  calls; 
actions  are  generic  scripts  which,  when  activated,  determine  the  (next 
step  of)  behaviour  depending  on  the  present  state  and,  maybe,  parame¬ 
ters. 

There  is  little  difficulty  to  add  actions.  We  supply  event  automata 
with  a  labeling  mapping  A  :  E  -+  A  which  associate  events  to  the  ac¬ 
tions  they  represent.  Similarly,  we  turn  the  logic  of  events  into  a  logic  of 
actions:  we  use  4>  t-  a  to  stipulate  that  an  event  automaton  has  a  move 
X  h  XU  {e}  if  X  (=  4>  and  if  there  exists  an  event  e  &  X  such  that 
A(e)  =  a,  a  being  an  action.  Again,  the  definition  is  parameterized  by 
satisfaction  s  f=  <f>.  All  this,  however,  is  formal  manipulation.  The  logic 
needs  more  sophistication. 

Let  us  consider  the  behaviour  of  a  stack.  There  are  two  actions  to 
modify  the  stack,  a  push  and  a  pop  action,  and  there  are  some  predicates, 
like  top  =  i  or  isempty.  We  are  allowed  to  push  whenever  we  are  in  a 
legal  state,  and  pop  if  the  stack  is  not  empty.  A  tentative  specification  is 
then  given  by  the  following  table: 


Stack 

States 

Declarations 

legal 

(-  push(i) 
->isempty  h  pop 

The  state  formula  legal  asserts  that  in  any  feasible  computation  a  push 
action  is  performed  at  least  as  many  times  as  a  pop  action. 

We  need  a  more  complex  notion  of  satisfaction  than  just  the  statement 
that  some  event  has  occurred  in  order  to  capture  the  intended  effects 
of  the  operations.  Let  [a]<^>  state  that  “the  observation  </>  holds  after 
execution  of  the  action  a”  [3].  Then 
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[push(i)]fop  =  i 

appears  as  reasonable  but  we  have  to  “implement”  the  predicate  top  =  i. 
Even  if  we  label  events  with  actions,  we  do  not  keep  track  of  the  ordering 
in  which  the  events  have  occurred,  which  is  a  necessary  prerequisite  to 
compute  the  proper  top  of  the  stack. 

We  may  use  traces  A*  giving  up  “true  concurrency”.  In  order  to 
define  top  =  »,  we  then  apply  the  equalities  fop(v.push(i))  =  i  and 
top(v.push(i).pop.w)  =  top(v. w)  to  the  longest  trace,  i.e.  the  last  event. 

As  an  alternative,  one  might  enrich  a  state  by  an  additional  com¬ 
ponent,  a  stack  of  the  usual  data  type  variety.  If  we  use  an  “stack”  to 
refer  to  this  additional  component,  the  behaviour  of  a  stack  is  fairly  well 
reflected  by  the  formulas 

stack  =  s  =>■  [push(i)]stctcfc  =  push(s,i) 
stack  =  push(s,  i )  =>  [pop]s<acfc  =  s 

One  wonders  about  the  distinction  between,  for  instance,  the  action 
push  and  the  operation  push.  There  is  very  little,  if  we  are  only  concerned 
with  the  behaviour  of  one  stack.  But  we  could  try  to  capture  the  well 
known  theorem  that  two  stacks  plus  finite  control  can  be  used  to  simulate 
a  Turing  machine10.  Then  the  push  and  top  actions  of  the  two  stacks  need 
to  be  synchronized,  e.g. 


topi  =  01-  popi||pushiv  1) 

may  be  used  to  write  a  symbol  on  the  Turing  tape  where  ||  is  a  syn¬ 
chronization  operator  on  actions  (1  denotes  a  symbol,  0  a  blank).  We 
note:  actions  may  synchronize  or,  more  generally,  may  be  visible  to  other 
processes,  hence  are  the  ingredients  of  reactive  behaviour,  while  opera¬ 
tions  are  just  functions  on  some  data.  By  the  way,  the  data  type  stack 
“freezes”  computation  history  in  a  rather  obvious  sense. 

There  is  an  asynchronous  variant  using  the  communication  primitives 
c !  v  and  c?x  of  process  algebra: 

-<isemptyi;  write?x  I-  popi; ready  -  to  -  writelx 
ready  —  to  -  write?x  I-  push2(x) 

Here  the  finite  control  issues  the  write  command,  x  may  either  be  0 

or  1. 

10See,  for  instance,  [6], 
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The  example  may  be  sufficient  to  demonstrate  that  additional  struc¬ 
ture  is  required  to  support  the  semantics  of  actions.  Tentatively,  there 
are  two  types  of  extensions,  namely  to  enrich  the  events  by  some  or¬ 
der  relation  mimicking  dependence  or  temporal  precedence,  and  to  add  a 
data  component  to  states.  Actions  might  be  classified  with  regard  to  the 
nature  and  conditions  of  the  changes  caused: 

•  Imperative  actions 11  the  effect  of  which  is  independent  of  whatever 
has  happened  beforehand,  but  the  data  component  of  states  is  af¬ 
fected, 

•  History-dependent  actions  the  effect  of  which  to  some  extent  de¬ 
pends  on  previous  behaviour,  and 

•  Declarative  actions  which  do  not  affect  the  data  component. 

In  the  first  variant  of  our  example  the  action  pop  is  clearly  history 
dependent,  whereas  the  action  push  is  imperative.  The  order  on  events 
reflects  the  history.  Given  an  additional  data  component  (“a  frozen  his¬ 
tory”),  history-dependent  actions  may  be  turned  into  imperative  ones. 
Communication  primitives  like  c?x  are  declarative  since  neither  a  change 
of  a  data  component  is  involved  nor  are  they  relevant  for  history  if  exe¬ 
cuted.  This  crude  taxonomy  is  complemented  by  an  orthogonal  distinc¬ 
tion  between 

•  hidden  actions  which  change  a  local  state,  i.e.  the  effects  can  be 
observed  only  locally  within  a  process,  and 

•  visible  actions  the  occurrence  of  which  are  known  to  other  processes 
which,  for  instance,  can  decide  or  are  forced  to  synchronize. 

Whether  actions  are  hidden  or  visible  depends  on  the  specific  design. 
For  instance,  we  may  choose  to  consider  only  communication  primitives 
as  visible,  then  synchronizations  such  as  popi||push2(l)  are  excluded. 

All  these  distinctions  should  be  supported  by  a  logic  of  actions. 

4.2  A  Framework  for  Dealing  with  Actions 

We  do  not  venture  to  propose  a  “definitive”  methodology  for  the  specifi¬ 
cation  of  reactive  behaviour.  We  rather  ask  for  conditions  for  a  logic  of 
actions  which  are  consistent  with  the  logic  of  events. 


11  Called  Markovian  in  [2]. 
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We  distinguish  between  states  s  and  the  underlying  set  ev(s)  of  events 
as  in  the  definition  of  event  automata  as  stated  in  the  introduction,  for  evi¬ 
dent  reasons.  Moreover,  we  assume  existence  of  some  appropriate  “logic” 
where  s  4>  states  that  s  £  St  satisfies  the  formula  <j>.  All  data  are 
“typed”  by  A,  i.e.  for  each  set  of  actions  A ,  we  assume  a  set  of  events 
Ev(A),  a  set  of  states  St(A),  and  a  set  Form(A)  of  formulas  to  be  given, 
as  well  as  total  mappings  ev^  :  St(A)  — *■  Ev(A)  and  :  Ev(A)  -*•  A 
such  that  ev(s)  Cpjn  Ev(A )  for  every  s  £  St(A). 

Furthermore,  we  assume  that  every  partial  mapping  a:  A  —*  A'  in¬ 
duces  partial  mappings  oev-Ev(A)  -*•  Ev(A')  and  erst  ■  St(A)  — ►  St(A'), 
and  a  total  mapping  a*:  Form(A')  — *  Form(A).  These  mappings  are 
supposed  to  satisfy  the  following  requirements: 

•  OEv{evA{.s))  =  eVA'(<7st($))  provided  crst(s)  is  defined, 

•  for  every  e  £  Ev(A),  o( A/i(e)  =  A^ provided  ctev(s)  is 
defined,  and 

•  s  a*ef>  iff  erst(s)  <j>. 

We  refer  to  such  a  setup  as  a  “frame”  (for  sake  of  a  better  term).  We 
recast  our  main  definitions. 

Definition  14  An  event  automaton  £  of  type  A  (henceforth)  consists  of 

•  a  set  St  C  5t(A)  of  states  with  set  ei>(s)  C  Fin(E)  of  events  for 
every  s  £  St, 

•  a  transition  relation  s  h  s',  where  s,s'  £  St(A),  such  that  ev(s')  = 
eu(s)W  {e}  for  some  event  e  £  Ev{A),  and 

A  partially  synchronous  homomorphism  consists  of  a  partial  mapping  a  : 
A—*  A'  such  that 

•  for  all  s  £  St,  <rst(s)  €  St', 

•  oev  Is  injective  on  ev^(s),  and 

•  &st{s)  K  crSt  if  s  1-  s' 

We  restate  the  constructions  on  event  automata  with  minor  changes. 

Definition  15  The  (asynchronous)  product  Si\\S2  of  event  automata 
£\  and  £2  of  type  A\  and  A2,  respectively,  is  an  event  automata  of  type 
A  =  Aj  x*  A2  defined  by  (St,  (-)  where 
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•  (si,a2,X)  €  St  if 

—  £  Sti,  62  €  St 2,  and  X  C  Ev(j 1), 

—  for  all  e  £  X,  JriBtl(e)  £  en^Si)  and  Jr2£„(e)  €  eiu,(s2),  and 

—  nlEv  and  *2 je„  ore  injective  on  X, 

•  (S!,S2,X)  h  {e})  if 

—  (5j)52*-^)  and  (Sj,s'2,X  1+)  {e})  are  states,  and 

—  si  I-  s\  or  S2  h  S2, 

Definition  16  Given  an  event  automaton  £  of  type  A,  and  given  a  par¬ 
tial  mapping  cr  :  A!  —*  A,  then  the  restriction  of  £  to  A! ,  notation 
£\(cr  :  A'  — ►  A),  is  the  event  automata  (St',\-')  of  type  A'  where 

•  (s,(T,X)  £  St'  if 

—  s  €  St,  and  X  C  Ev(A'), 

—  for  all  e  e  X,  <TEv(e)  €  ev^is),  and 

—  oev  is  injective  on  X, 

•  (s,o,X)i~'  (s',a,X  W  {e})  if 

—  (s,a,X)  and  ( s',(T,X  tel  {e})  are  states,  and 

—  sh  s'. 

Finally  we  introduce  a  relabeling  operation. 

Definition  17  Given  an  event  automaton  £  =  of  type  A  and  a 

relabeling  mapping  a  :  A  — *•  A' ,  the  relabeling  of  £,  notation  £[a],  is  the 
event  automata  £  =  (St',  H')  such  that 

•  &st(s)  €  St'  iff  s  €  S,  and 

•  ost(s)  I"  vst(s')  if  s\~  s'  and  if  crst(e )  for  e  £  ev(s')  \  ev(s). 

As  such,  the  definitions  make  little  sense  (except  for  relabeling).  Noth¬ 
ing  guarantees  existence  of  the  respective  data.  We  commit  the  usual 
fraud  to  claim  existence  of  what  is  needed.  For  instance,  given  a  partial 
mapping  h:  A  — *■  A',  for  all  states  s'  £  St(A')  and  all  sets  X  C  Ev(A), 
we  claim  existence  of  exactly  one  state  s  of  type  A  such  that  such  that 
ev(s)  =  X  and  A st(s)  =  s'.  If  we  use  (s,A,A)  to  denote  such  a  state, 
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restriction  is  well-defined  in  a  given  frame.  The  requirement  is  sound  in 
that  states  (s,  A,  X)  should  differ  only  in  terms  of  events  e,  the  images  of 
which  are  undefined  w.r.t.  /i£„.  Similarly,  additional  requirements  can 
be  imposed  to  recover  the  definition  of  products. 

Proposition  18  Assume  that,  for  every  pair  of  states  si  £  St(Ai)  and 
s 2  €  St(A2),  and  every  set  X  C  Ev(Ax  x»  ^2),  there  exists  a  unique 
state  (s\,S2,X)  such  that  itiEu(si,S2,X)  =  7T2Eu(s,S2,X)  =  s2,  and 

ev(si,S2,X)  =  X.  Then  the  construction  in  15  defines  a  ( categorical ) 
product  of  event  automata  in  such  a  frame. 

Pure  event  automata  satisfy  the  conditions  trivially  if  we  consider 
events  as  actions. 

Interleaving  semantics  in  terms  of  traces  provides  another  example. 
Given  a  set  of  labels  A  let  Ev(A)  =  A“  be  the  set  of  traces  on  this 
alphabet.  We  define  5t(i4)  =  {Pref(w)\w  £  A*}  as  being  the  prefix- 
closure  of  traces.  The  evA  is  the  identity  map,  and  A/i(wa)  =  a.  We  leave 
open  which  formulas  may  be  used. 

The  asynchronous  product  of  two  sets  T\  C  A\  and  1 2  C  A%  of  traces 
is  given  by  a  set  T  C  (A\  x*  A2)*  such  that  w  £  T  iff  n ,(w)  £  T,  and 
the  projections  7 r,-  are  injective  on  T.  The  projection  mappings  are  the 
canonical  extension  of  those  on  actions  to  traces.  Various  synchronization 
operators  can  be  defined  restricting  to  suitable  sets  of  labels,  for  instance 
the  usual  CSP  operator  is  obtained  as  restriction  to  labels  (a,  a)  in  the 
product  alphabet. 

The  conditions  for  the  asynchronous  product  of  traces  match  exactly 
those  for  states  used  in  the  definition  of  product  automata.  The  condition 
on  the  moves  is  trivially  satisfied. 

Similarly,  we  can  set  up  a  frame  of  synchronization  trees  [8],  or  a 
frame  of  Mazurkiewicz  traces  [7].  Other  choices,  are  to  enrich  the  set  of 
events  cva(s)  of  a  state  by  a  partial  order  representing  dependency  (as 
a  generalization  of  traces  [17]),  or  to  extend  a  state  by  data  components 
in  that  we  allow  to  access  internal  data  by  means  of  attributes  s.a.  In 
the  latter  case,  definitions  should  be  given  relative  to  a  signature  which 
comprises  actions  as  well  as  attributes.  The  mathematics  of  this  more 
general  setup  will  be  investigated  in  [14], 

We  turn  our  attention  to  specifications.  We  follow  the  pattern  of 
section  3. 

Definition  19  An  elementary  specification  Spec  over  actions  A  consists 

of 
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•  a  set  of  state  formulas  <j>,  and 

•  a  set  of  action  declarations  ^  h  ?  where  <p,  ip  are  of  type  A,  and 
where  a  G  A. 

All  formulas  are  of  type  A. 

Definition  20  Let  Spec  he  a  specification  and  £  be  an  event  automaton 
of  type  A.  Then  £  satisfies  Spec ,  notation  £  f=  Spec,  if 

(i)  £  (=  <p  for  all  state  formulas  <p  of  Spec,  i.e.  ,  for  all  states  s  €  St, 
s\=  <p, 

(ii)  £,ip  |=  a  for  all  action  declarations  ip  ha,  i.e.,  for  all  states  s  G  St 

such  that  s  (=  ip,  there  is  some  state  s'  €  St  such  that  s  h  s'  and 

a 

A(e)  =  a  (notation  s  h  s'). 

Proposition  21  Assuming  that  all  definitions  are  properly  translated  we 
have: 

•  £'[(A  :  A  — >  A')  |=  A *Spec  whenever  £  (=  Spec, 

•  £\  n^2  f=  Spec\  fl  Spec2  iff  £\  f=  Spec\  and  £2  (=  Spec2,  and 

•  If  £  {=  Spec\  n  Spec2  then  Ai(£)  j=  Spec\  and  A2(£)  (=  Spec2. 

We  refer  to  such  specifications  as  elementary  since  they  are  concerned 
only  with  states  and  with  enabling. 

4.3  Relating  Events  and  Actions 

Every  style  of  specification  of  reactive  behaviour  is  probably  a  compromise 
between  specifying  in  terms  of  actions  and  in  terms  of  events.  Hoare-style 
trace  logics  may  serve  as  a  witness.  Not  surprisingly,  most  styles  of  spec¬ 
ification  make  implicit  assumptions  about  the  nature  of  events.  Traces  or 
synchronization  trees  are  the  structures  commonly  used  for  representing 
events,  while  equivalences  on  top  determine  their  nature.  The  preference 
is  justified.  Traces  and  trees  are  natural  structures  to  generate  from  ac¬ 
tions,  both  are  well  understood,  and  we  have  the  convenience  that  the 
last  event  (maximal  trace,  tree)  encodes  all  the  history.12  However,  traces 
or  trees  do  not  support  “true  concurrency”  in  terms  of  an  operator  as,  for 
instance,  the  gluing  of  synchronization  trees  supports  “alternative”.  We 

lshence  support  history-dependent  actions,  according  to  our  taxonomy. 
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should  keep  in  mind  here  that  the  presentation  of  the  semantic  concepts 
in  terms  of  operators  is  crucial  for  logics  (at  least  for  those  with  linear 
notation). 

The  absence  of  a  “concurrency”  operator  of  handy  nature  caused  the 
genesis  of  a  long  line  of  true  concurrency  models,  the  first  being  Petri’s 
[10].  Partial  orders  have  been  used  very  early  to  model  causality  [11,  16], 
or,  if  you  want,  generalize  the  sequentiality  of  traces,  with  independence , 
or  concurrency,  being  a  derived  notion,  but  not  an  algebraic  kind  of  oper¬ 
ator.  These  models  do  not  support  “alternative”.  Event  structures  com¬ 
bine  the  three  aspects  of  “sequence” .  “alternative”,  and  “concurrency”, 
as  do  Mazurkiewicz  traces  where  sequence  and  independence  are  the  ba¬ 
sic  concepts.  So  the  short  historical  survey  takes  us  right  back  to  the 
starting  point. 

To  be  fair,  Vaughn  Pratt  addressed  the  question  of  how  to  generate 
partial  orders  [16],  as  does  recent  work  based  on  categorical  structures13 
[1].  Still,  the  work  does  not  provide  a  logic  which  is  as  easy  to  use  and 
as  natural  as  Hoare’s  trace  logic  or  the  various  brands  of  temporal  logics 
[15],  nor  does  it  cover  aspects  such  as  history-dependence. 

Maybe  it  is  worth  considering  the  communication  protocol  specified 
in  terms  of  of  events.  If  more  than  one  data  packet  is  exchanged,  then  we 
have  several  events  corresponding  to  the  “actions”  Dreq  and  D{nd .  The 
“action  specification”  Dreq  H  Dxnd  is  quite  useless.  We  have  to  relate  each 
event  of  sending  of  a  data  package  to  its  arrival  while  the  “specification” 
at  best  states  that  some  sending  of  a  data  package  corresponds  to  some 
arrival.  We  may  refer  to  respective  events  by  indexing,  in  that  we  consider 
events  {Dreqi\i  >  0}  and  >  0}.  Then  the  declaration  Dre<ti  h 

Dindi,  for  all  i,  will  achieve  the  desired  result  but  we  are  back  on  the  level 
of  events.  We  can,  however,  use  the  additional  information  by  restricting 
states  to  those  such  that  the  number  of  events  labeled  by  Dreq  is  greater 
or  equal  to  the  number  of  events  labeled  by  Dind .  If  we  stipulate  that 
the  (action)  formula  Dreq  holds  if  the  number  of  Dreq  events  is  greater 
than  the  number  of  D{nd  events.  The  action  Dxnd  then  enables  any  of  the 
still  missing  arrival  events.  If  we  want  be  sure  that  the  channel  works 
in  FIFO  mode,  we  need  a  more  structured  set  of  events  as  well  as  of 
states:  we  assume  events  to  be  ordered,  for  instance  by  Dind,  <  Dind3 , 
if  i  <  j  and  require  that  the  events  in  a  state  respect  this  order.  The 
latter  can  be  achieved  as  well  by  sacrificing  auto-concurrency14;  working 

I3The  latter  seems  to  support  imperative  actions  only,  according  to  our  nomencla¬ 
ture.  This  is  inherent  in  the  bipartiteness  of  Petri  nets.  A  marking  does  not  record 
the  events  which  have  previously  occurred 

14meaning  that  there  are  concurrent  events  labeled  by  the  same  action. 
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on  Mazurkiewicz  traces,  we  may  say  that  (an  action)  formula  Dreq  is 
satisfied  if  the  “last”  Dreq  is  not  followed  by  a  Din^  (with  regard  to  the 
order  on  the  traces). 

Without  exhausting  all  the  possible  variations,  the  example  should 
demonstrate  that  a  precise  understanding  of  the  relationship  of  events  and 
actions  is  crucial  and  that  there  is  a  variety  of  choices  if  true  concurrency 
is  taken  into  account.  Hence  no  universal  procedure  for  relating  events 
and  actions  can  be  stated,  but  some  requirements  can.  Given  a  set  of 
actions  A  the  corresponding  notions  of  events  and  states  have  to  be  fixed 
as  well  as  satisfaction.  Our  logic  of  actions  is  based  on  this  infrastructure. 
Moreover,  for  every  action  declaration  <j)  ha,  the  effect  of  the  action  a 
must  be  exactly  known,  namely  which  event  is  triggered,  and  how  it 
relates  to  the  past  history. 

Formally,  for  every  action  declaration 

4>  t"  a, 

a  logic  of  actions  must  determine  a  set  of  event  declarations 

F  a 

such  that,  for  all  states  s  6  St(A)  in  the  given  frame, 

s  (=  ip  if  s  (=  <j> 

and 

A(e)  =  a. 

Moreover 


if  cr£v<£. 

should  hold  for  the  respective  ip' s.  This  guarantees  compatibility  of  the 
synchronization  operators  for  specifications  on  the  level  of  actions  and  of 
events.  This  condition  completes  our  requirements  for  a  frame. 

The  trace  logic  is  an  obvious  example  for  a  frame.  If  a  trace  w  sat¬ 
isfies  the  formula  <f>,  then  <f>  1-  a  enables  a  transition  to  wa.  Similarly, 
Mazurkiewicz  traces  define  a  frame  though  they  do  not  support  auto¬ 
concurrency.  Auto-concurrency  is  well  known  to  be  a  major  problem. 

Our  taxonomy  of  actions  further  suggests  that  data  components  are 
needed,  for  instance,  for  modeling  shared  memory.  Data  components 
might  be  accessed  using  attributes  for  observation  separating  data  and 
events.  Then  a  data  logic  can  be  designed  quite  independently,  or  rather, 
a  logic  of  actions  may  be  parameterized  by  a  logic  for  data. 


5  Conclusions 

We  may  summarize  as  follows: 
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•  There  is  an  elementary  style  of  specification  in  terms  of  events  which 
is  compositional  with  regard  to  synchronization  operators. 

•  Similar  results  may  be  achieved  for  a  logic  of  actions,  but 

•  a  framework  for  specification  must  clearly  state  how  to  relate  actions 
and  events. 

•  Conditions  are  given  for  frameworks  sucli  that  the  logics  interact 
appropriately. 

•  Compositionality  of  specifications  with  regard  to  synchronization 
operators  is  established. 

We  consider  our  setup  as  a  first  step.  More  work  needs  to  be  done: 
the  basic  model  should  be  enriched  in  order  to  support  the  various  kinds 
of  actions  of  our  taxonomy  (which  is  currently  worked  out  in  [14]),  and 
more  logical  infrastructure  must  be  provided.  There  are  various  lines  of 
thought  for  the  latter.  For  instance,  one  may  introduce  formulas  ipa  and 
extend  satisfaction  to  ( s,s ')  [=  <p  to  specify  ‘one-step’  behaviour.  The 
framework  is  easily  extended  to  cope  with  such  “static  semantics” .  The 
situation  is  more  complicated  with  “dynamic”  varieties  of  logic. 

Let  us  use  a  formula  of  the  form  [a ]<£  (where  $  €  Form(A))  with 

a 

satisfaction  being  defined  by:  £,s  |=  [a }ip  if,  for  all  moves  s  h  s',  s'  [=  <j>. 
Then  we  can  prove  by  a  straightforward  argument 

Proposition  22  For  a  partial  mapping  A:  A  — *■  A',  an  automaton  S'  of 
type  A! ,  and  a  formula  4>  €  St(A'),  we  have  that  A *(£'),  s  [=  [a]A*<£  iff 
£',  A(s)  |=  [A(a)]<£,  provided  that  A(a)  is  defined. 

Indeed,  the  definition  of  these  formulas  expressing  the  “dynamic”  of 
the  system  strongly  depends  on  the  taxonomy  we  have  introduced  before. 

There  may  be  more  dynamic  operators,  and  similar  results  should 
hold  for  them.  Since  satisfaction  depends  on  the  given  automata,  there 
seems  little  hope  to  give  a  uniform  translation  scheme  but  we  note  that 
the  pattern  for  the  “dynamic”  enabling  relation  and  the  “predicate  trans¬ 
formation”  above  is  of  striking  similarity. 
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Abstract.  Graph  reduction  is  an  implementation  technique  for  the  lazy  X-calculus.  It  has  been  used  to 
implement  many  non-strict  functional  languages,  such  as  lazy  ML,  Gofer  and  Miranda.  Parallel  graph  reduction 
allows  for  concurrent  evaluation.  In  this  paper,  we  present  parallel  graph  reduction  as  a  Chemical  Abstract 
Machine,  and  show  that  the  resulting  testing  semantics  is  adequate  wn  testing  equivalence  for  the  lazy  X- 
calculus.  We  also  present  a  jr  -calculus  implementation  of  the  graph  reduction  machine,  and  show  that  the 
resulting  testing  semantics  is  also  adequate. 


1  Introduction 

The  lazy  reduction  strategy  for  the  X-calculus  investigated  by  abramsky  (1989)  has  only 
two  reduction  rules: 

E  ->  E' 

(Xx.E)F  ->  E[F/x)  EF  -+  E'F 

This  can  be  compared  with  the  full  evaluation  strategy  of  barendregt  (1984): 

£-»•£'  £  -»  £'  £  -»  £' 

(Xx.E)F  -»  E[F/x]  EF  -»  E'F  EF  EF'  Xx.E  -»  kx.E’ 

If  the  full  evaluation  strategy  can  terminate,  then  the  lazy  evaluation  strategy  will.  For 
example,  if  we  define: 

K  =  Xxy.x 
I  =  Xx.x 

Y  =  X*.((Xy.x(yy))(Xy.x(y;y))) 

then  Yl  ->°°  but  KI(YI)  -/±°°  ,  whereas  K1(Y1)  -»°°  .  However,  the  lazy  evaluation 
strategy  is  very  inefficient,  since  it  may  duplicate  arguments  when  applying  a  function. 
For  example,  if  we  define: 

E0  =  l 

E/+i  =  (Xx.xx)E, 

Then  E,  — »2'  1  but  E,  -»2'+'_2  |,  that  is  the  lazy  strategy  can  be  exponentially  worse  than 
the  full  strategy.  Thus,  the  early  functional  languages,  such  as  lisp  (MCCARTHY  et  at., 
1962)  used  a  strict  reduction  scheme  rather  than  the  lazy  reduction  scheme. 

Graph  reduction  was  introduced  by  WADSWORTH  (1971)  as  a  means  of  efficiently 
implementing  the  lazy  reduction  strategy.  Rather  than  reducing  syntax  trees,  we  reduce 
syntax  graphs  which  allows  a  more  efficient  representation  of  sharing.  For  example,  we 
can  represent  the  reduction  of  E,+i  as: 


Copyright  ©  1992  Alan  Jeffrey. 

This  work  was  supported  by  SERC  project  GR/H  16537. 
Miranda  is  a  trademark  of  Research  Software  Limited. 


294 


@ 

/  \ 

kx  E, 

@ 

@ 

i 

— > 

2i 

u 

@ 

E, 

1 

i/  \ 

X  X 

□ 


Graph  reduction  has  been  used  to  implement  non-strict  functional  languages  such  as 
JOHNSSON’s  lazy  ML  (1984),  Jones’s  Gofer  (1992)  and  turner’s  Miranda  (1985).  It  is 
discussed  in  PEYTON  JONES’S  textbook  (1987). 

However,  there  has  been  little  work  in  the  formal  semantics  nf  graph  reduction.  B aren- 
DREGT  et  al.  (1987)  have  shown  that  graph  reduction  is  sound  and  complete  with  respect 
to  term  reduction.  LESTER  (1989)  has  shown  that  the  G -machine  of  AUGUSTSSON  (1984) 
and  johnsson  (1984)  is  adequate  wrt  a  denotational  model  of  the  lazy  /-calculus.  In  this 
paper,  we  provide  an  alternative  presentation  of  graph  reduction,  as  a  Chemical  Abstract 
Machine  (CHAM),  in  the  style  of  berry  and  BOUDOL  (1990). 

The  CHAM  was  introduced  as  a  way  of  presenting  the  operational  semantics  of  parallel 
languages  in  a  clean  fashion.  It  has  been  used  to  give  a  semantics  for  milner’s  CCS  ( 1 989) 
and  milner,  parrow  and  walker’s  jr -calculus  (1989). 

Here,  we  shall  give  a  semantics  for  parallel  graph  reduction  with  blocking,  as  described 
by  PEYTON  JONES  (1987).  We  will  show  that  this  is  an  adequate  semantics  for  the  lazy 
/-calculus,  and  that  it  can  be  implemented  in  a  variant  of  the  it  -calculus. 


2  The  lazy  lambda-calculus 

The  /-calculus,  introduced  by  CHURCH  (1941),  has  the  following  syntax: 


E  ::=x  |  EE  \  kx.E 


where  x  ranges  over  an  infinite  set  of  variables.  This  can  be  given  a  number  of  operational 
semantics,  but  we  shall  only  look  at  two  of  these.  We  shall  call  these  the  lazy  semantics: 

E-*  E' 

(kx.E)F  -»  E[F/x]  EF  E'F 

and  the  full  semantics: 


E  E'  F  -»  F'  E  -»  E' 

(kx.E)F  -*  E[F/x]  EF  -»  E'F  EF  -»  EF'  kx.E  -»  kx.E' 

Here,  E[  F/x]  is  E,  with  every  free  occurrence  of  *  replaced  by  F,  up  to  the  usual  renaming 
of  bound  variables.  We  can  define  a  variant  of  MORRIS’S  testing  pre-order  (barendregt, 
1984,  Exercise  16.5.5): 


E  c  F  iff  VC  .  C[F ]  =>  C[£]  -+00 


We  can  also  define  a  variant  of  the  /-calculus  with  recursive  declarations  and  strictness 
annotations: 


M  ::=  x  j  xy  |  kx.M  |  rec*  :=  D  in  M 
D  ::=  1M  \  \M 


295 


Here: 

•  recx  :=  ?Af  in  N  declares  x  recursively  to  be  M  in  the  context  N .  For  example,  a 
fixed  point  of  /  is  recx  :=  ?/  in  recy  :=  7xy  in  y. 

•  recx  :=  ! Af  in  N  is  the  same,  except  that  x  is  strict  in  N,  and  so  evaluation  of  M  can 
be  sparked  off  as  a  parallel  computation. 

We  shall  let  bound  variables  be  a-converted.  The  free  variables  of  M  are  fv  M: 

fvx  —  {x} 
fv(ry)  =  {x,  y) 
fv(Xx.M)  =fvM\  {x} 
fv(recx  :=  D  in  M)  =  (fv  D  U  fv  M)  \  {x} 
fv(!M)  =  fvM 
fv(?Af)  =  fv  M 

There  is  a  translation  1  ■  1  from  the  X -calculus  to  the  X-calculus  with  rec: 

1*1  =  x 

|££|  =  recx  :=  !|£|  in  recy  :=  ?|£|  inxy 
|Xx.£|  =  A.x.|£| 

Note  that  in  the  translation  of  £ £,  we  know  that  £  will  be  used,  and  so  it  can  be  evaluated 
strictly.  On  the  other  hand,  we  do  not  know  if  F  will  be  used  or  not,  so  it  cannot  be 
annotated. 

3  The  chemical  abstract  machine 

The  Chemical  Abstract  Machine  (CHAM)  of  BERRY  and  BOUDOL  (1990)  is  a  way  of 
presenting  the  operational  semantics  of  parallel  systems.  We  shall  use  it  to  give  a  semantics 
for  parallel  graph  reduction  of  the  X -calculus  with  rec. 

A  CHAM  gives  reductions  between  solutions,  which  are  multisets  (or  bags)  of  molecules. 
The  definition  of  molecules  is  specific  to  each  CHAM,  but  a  solution  can  always  be  re¬ 
garded  as  a  molecule.  In  a  solution  flwii, ...,  /«„(} ,  the  multiset  brackets  fl  -  -  -  Q  are  called 
a  membrane.  Let  S  range  over  solutions,  and  let  S  W  S'  be  the  multiset  union  of  S  and  S'. 
Each  cham  has  three  types  of  reduction: 

•  Heating  rules,  of  the  form  S  S'. 

•  Cooling  rules,  of  the  form  S  —r  S'. 

•  Reaction  rules,  of  the  form  S  t->-  5'. 

Heating  and  cooling  rules  are  always  given  in  pairs  S  ^  S’,  whereas  reaction  rules  are 
irreversible.  We  shall  write  for  the  transitive,  reflexive,  symmetric  closure  of  write 
-*■  for  and  let  =>  range  over  -s  -r  and  h->.  All  chams  have  the  following 

structural  rules,  where  m[-]  is  a  molecule  containing  precisely  one  hole: 

S  =>  S'  S=>  S' 

S  W  S"  =>  S'  W  S"  flw[S]Q  =>  MS'JB 

In  addition,  the  chams  we  shall  consider  in  this  paper  allow  the  outermost  membrane 
of  any  solution  to  be  ignored.  This  allows  us  to  write  m i, ...,  m„  =>  m\, ...,  m'„,  for 
. "ini}  =>  fl/ni,  ...,m'n,§: 


The  molecules  and  reduction  rules  are  specific  to  each  CHAM.  In  the  case  of  the  graph 
reduction  CHAM,  molecules  are  defined: 

m  ::=  x  :=  D  \  S  \  vx.S 
The  free  variables  of  m  are  fv  m: 

fv(x  :=  D)  =  {x}UfvD 
fvjmi, =  fvmi  U  •  •  ■  U  fvm„ 
fv(vx.S)  =  fv  S  \  {a  } 

The  defined  variables  of  m  are  d win: 

dv(x  :=  D )  =  {a} 

dv  jjrni, =  dvmi  U  •  •  •  U  d \mn 
dv(vx.S)  =  dv  S  \  {*} 

We  shall  only  consider  solutions  which  do  not  define  any  variables  twice,  so  in  any 
solution  flwii, ....  m„|},  the  defined  variables  of  each  m,-  are  distinct.  For  example,  we 
do  not  allow  solutions  such  as  vx.Jx  :=  !A .w.M,  x  :=  Mw.N ,  y  :=  !xu;|}  which  could 

reduce  nondeterministically  to  ))y  :=  !Af  B  or  to  fly  :=  !Nfl .  If  if  =  x\ . xn  then  we 

can  write  vx.m  for  wr.fl/n|}  and  vx.m  for  vxv...vx„.m.  Define: 


•  a  molecule  is  a  positive  ion  with  valency  x  iff  it  is  x  :=  ?M  or  x  :=  !A.y  .M. 

•  a  molecule  is  a  negative  ion  with  valency  y  iff  it  is  x  :=  !y  or  x  :=  !yz. 

•  a  molecule  is  ionic  iff  it  is  a  positive  or  negative  ion. 

•  a  solution  is  plasmic  iff  it  is  flvy  flwi,  •••,  m„|}  fl  or  fl/nj, ....  m„ fl  where  each  m,  is 
ionic.  A  plasma  is  positive  (negative)  iff  it  contains  only  positive  (negative)  ions. 

Plasmas  can  be  regarded  as  graphs,  for  example  the  graph  reduction: 


is  represented  by  the  CHAM  reduction: 
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vxy.flz  :=  !jcy,  y  :=  ?(E;|,  x  :=  !lku>.wu>||} 

->•  vut>y.j]z  :=  !uv,  y  :=  ?|Ej|,  u  :=  ?y,  u  !y|) 

->  vuuy.Bz  :=  !uu,  y  :=  !|Eji,  v  :=  ?y,  u  :=  !yB 

->7'  vuuy.flz  :=  \uv ,  y  :=  !|l|,  u  :=  ?y,  u  :=  !_y  [} 

-*•  vuvy.Jz  :=  !uv,  y  :=  !|l|,  v  :=  ?y,  u  :=  !|llft 
-►  wy.flz  :=  !u,  y  :=  !|l|,  v  :=  ?yB 
-»■  vvy-Jz  :=  !u,  y  :=  !|l|,  u  :=  !yj} 

-*  vv.flz  :=  !v.  v  :=  !|l||} 

-*  flz  :=  !|l|l> 

In  these  diagrams: 

•  Tagged  nodes  x  :=  \M  are  labelled  with  a  !. 

•  Untagged  nodes  x  :=  ?M  are  labelled  with  a  ?. 

•  Application  nodes  jc  :s=  yz  are  labelled  with  a  @. 

•  Indirection  nodes  jc  :=  y  are  labelled  with  a  y,  if  y  is  free,  and  with  V  otherwise. 

•  Function  nodes  x  :=  ky.M  are  labelled  with  a  ky,  and  have  the  graph  for  flz  :=!Af  0 
drawn  beneath  them,  for  some  fresh  variable  z. 

The  most  important  heating  rule  allows  recursive  declarations  to  become  part  of  a  solution, 
whilst  hiding  the  bound  variable.  This  is  only  valid  when  it  would  not  cause  the  free 
variable  jc  to  become  bound  by  y,  which  we  can  achieve  by  a -converting  y  first. 

jc  :=  (!  recy  :=  D  in  M)  ^  vy.fljc  :=  !Af,  y  :=  ( x  ^  y) 

The  scope  of  a  hidden  variable  can  migrate,  as  long  as  this  does  not  result  in  variable 
capture: 

m,  vx.m’  ^  vjc.flm,  /n'j)  (jc  £  fvm) 

Hidden  variables  may  be  a-converted,  exchanged  and  evaporated: 

vx.m  ^  vy.(m[y/jc])  (y£fvm) 
vxy.m  ^  vyx.m 

wr.J#  -  HO 

Finally,  we  can  perform  garbage  collection  on  positive  plasmas,  since  a  hidden  positive 
plasma  can  never  make  any  reductions: 

vx.{|£  :=  Dj}  =?MB  (Hi  :=  DB  is  a  positive  plama) 

We  shall  sometimes  write  for  this  thermal  action,  and  for  any  other  thermal 
action.  For  example,  the  graph  reduction: 


z 

z 

!@ 

!V 

/  \ 

11  ?l 

?1 

vyx.^x  :=  11,  y  :=  ?l,  z  :=  bryD 
i— ►  uyjr.Jjc  :=  !l,  y  :=  ?l,  z  ;=  !y[) 


can  be  derived: 
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-r  vyx.flx  :=  !l,  fly  :=  ?l,  z  :=  !y[}  fl 
-r  vy.flvx.flx  :=  !l|} ,  fly  :=  71.  z  :=  !yfl  fl 
-*Y  vy.flfly  :=  71,  z  :=  !y(Mfl 
vy.fly  :=  ?l,z  !y|) 


A  reaction  can  occur  whenever  one  positive  and  one  negative  ion  with  the  same  valency 
exist  in  a  solution.  Since  there  are  two  kinds  of  positive  ion  and  two  kinds  of  negative  ion, 
there  are  four  reaction  rules.  The  first  two  allow  untagged  molecules  to  become  tagged: 


These  can  be  drawn: 


x  :=  !y,  y  :=7M  h*  x  :=  !y,  y  :=  !Af 
.v  :=  !yz,  y  :=  7M  t->  x  :=  !yz,  y  :=  \M 


!V 

!V 

4 

4 

7M 

IM 

PB  ^  S 

x  !  roc y  :=  D\nM  ^  vy.fljc  :s -\M,y  :=  D[)  (z  #  y) 

m,  vx.m'  vjc.flm,  m'J  (x  $  fvm) 
vx.m  vy.(m[y /x])  (y  #fvm) 
vxy.m  ^  vyx.m 
vz.tB  ^  HI) 

vi.p  :=  6|}  01)  (fli  :=  D|}  is  a  positive  plasma) 

x  :=  !y.  j:=?Mi-u:=  !y,  y  :=  \M 
x  :=  !yz,  y  :=  1M  (->■  x  :=  !yz,  y  :=  !Af 
x  :=  !y,  y  :=  Ww.M  i-»  x  :=  Uu i.M,  y  :=  Ww.M 
x  :=  !yr,  y  :=  Ww.M  x  :=  \M[z/w],  y  :=  Ww.M 

Table  1.  Summary  of  lha  oraph  reduction  cham 


This  models  the  first  phase  of  graph  reduction — we  search  along  the  spine  of  a  graph, 
tagging  nodes  for  evaluation.  Note  that  strict  reactions  do  not  occur: 

x  :=  !yz,  z  :=  7M  \/+  x  :=  !yz,  z  :=  \M 

If  a  tagged  indirection  node  points  to  a  function,  we  can  just  copy  the  function.  The 
skim  (stoye  et  al.,  1984)  and  G-machine  (johnnson,  1984)  use  this  as  a  method  of 
eliminating  indirection  nodes.  It  was  shown  by  lester  (1989)  to  be  adequate: 

x  :=  !y,  y  :=  Ww.M  (-»•  x  :=  Ww.M ,  y  :=  Ww.M 


!V 

Ww.M 

4 

Ww.M 

Ww.M 

This  can  be  drawn: 
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If  an  application  node  points  to  a  function,  it  can  be  /{-reduced: 

x  :=  !yz,  y  :=  IXw.M  t-+  x  :=  !Af[z/u>],  y  :=  Ww.M 

This  can  be  drawn: 


!@ 

M 

/  \ 

/  \ 

!Au>  N 

!Au>  V  V 

1 

h-t 

i 

M 

M  N 

^  \ 

S  \ 

w  •••  w 

w  w 

We  shall  sometimes  write  t->^  for  this  reaction,  and  for  any  other  reaction.  This 
CHAM  is  summarized  in  Table  1 . 

This  CHAM  implements  the  algorithm  for  parallel  graph  reduction  described  by  PEYTON 
jones(1987).  A  process  is  assigned  to  evaluating  a  node,  which  is  tagged.  It  then  searches 
along  the  spine,  tagging  each  node  as  it  passes.  If  it  reaches  a  function  node  which  can 
be  /{-reduced,  it  does  so.  If  it  reaches  a  function  node  which  cannot  be  /{-reduced,  this  is 
returned  as  the  result.  If  it  reaches  a  previously  tagged  application  or  indirection  node,  it 
is  blocked  until  the  tagged  node  is  evaluated.  For  example,  in  the  graph: 

x 

!@ 

/  \ 

!V  !@ 

\  /  \ 

?M  IN 

only  one  process  will  evaluate  M.  This  is  mirrored  in  the  CHAM  by  the  fact  that  M 
will  only  be  reduced  once.  However,  this  algorithm  produces  some  surprising  results 
with  cyclic  graphs.  The  solution  fiy  :=  !  recx  :=  \x  in  x[}  heats  to  become  the  plasma 
flvx.fly  :=  !x,  x  :=  !x|}  8  and  the  graph: 


y 

!V 

4- 

!V 

JJ 

This  has  no  reductions,  because  it  is  negative.  This  is  mirrored  in  the  parallel  graph 
reduction  algorithm,  since  the  process  evaluating  y  will  discover  that  the  indirection  node 
at  x  has  already  been  tagged.  Thus,  it  is  possible  for  evaluations  to  deadlock,  when  a 
sequential  algorithm  would  diverge. 

Our  translation  of  the  A -calculus  will  not  produce  cyclic  graphs,  although  it  can 
still  produce  divergent  terms.  For  example,  the  translation  of  (Ax.xx)(Ax.xx)  has  the 
reductions: 
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Since  |£|  is  an  acyclic  graph,  we  will  be  able  to  show  that  the  CHAM  semantics  for  the 
A-calculus  is  adequate.  To  do  this,  we  define  the  testing  preorder  on  molecules: 

mom'  iff  VC  .  C[m')  -+00  =>  C[m] 

and  show  that  the  CHAM  semantics  is  adequate,  that  is  if  (x  :=  ?|£|)  c  (x  :=  ?|£|)  then 
£  c  F. 

Theorem  1  (adequacy).  If  (x  :=  ?|£|)  c  (x  :=  ?|£|)  then  E  Q  F. 

Proof.  Given  in  (JEFFREY,  1992).  □ 

However,  it  is  not  fully  abstract. 

Theorem  2.  £  C  F  does  not  imply  ( x  :=  ?|£|)  E  (x  :=  ?|Fj). 

Proof.  Given  in  (JEFFREY,  1992).  □ 

It  is  an  open  problem  as  to  whether  the  CHAM  semantics  is  fully  abstract  wrt  abram- 
SKY’s  (1989)  A -calculus  with  C,  and  as  to  whether  the  canonical  semantics  for  the  lazy 
A -calculus  D  ~  (D  -»•  D)±  is  adequate  wrt  the  CHAM  semantics. 

4  The  asynchronous  pi -calculus 

The  7r -calculus,  introduced  by  MILNER,  parrow  and  walker  (1989)  is  a  process  alge¬ 
bra  in  which  scope  is  considered  important.  MILNER  has  shown  that  it  can  be  used  to 
model  pointer-structures  (1991)  and  the  lazy  A-calculus  (1992),  which  has  been  further 
investigated  by  SANGIORGI  (1991). 

Since  the  7r -calculus  was  designed  with  pointer  structures  and  the  A-calculus  in  mind, 
it  seems  natural  to  use  it  to  encode  a  parallel  graph  reduction  algorithm.  We  shall  consider 
a  variant  of  BOUDOL’s  asynchronous  n  -calculus  (1992).  This  has  the  syntax: 

P  ::=  x[yz]  \  x(yz).P  \  P  \  P  |  vx.P  |  [x  =  y]P  |  [x  #  y]£  |  A(x) 

Here: 

•  x[yz]  is  the  process  which  outputs  the  pair  (y,  z)  along  channel  x. 

•  x(yz).P  is  the  process  which  inputs  a  pair  (y't  z')  along  channel  y,  then  behaves  like 
P[x'/x,  y'/y]. 

•  P  |  Q  places  P  and  Q  in  parallel. 

•  vx.P  creates  a  new  channel  x  for  use  in  P. 

•  [k  =  y]P  acts  like  P  whenever  x  =  y,  and  deadlocks  otherwise. 

•  [Jt  #  y]P  acts  like  P  whenever  x  ±  y,  and  deadlocks  otherwise. 

•  /t(x)  is  a  recursive  definition,  in  the  style  of  MILNER  (1989).  We  shall  assume  an 
environment  of  definitions  A(x)  =  P,  where  fv  P  c  x. 
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The  cham  for  this  variant  of  the  asynchronous  n  -calculus  is  given  in  Table  2,  and  is  very 
similar  to  boudol’s  cham  for  the  asynchronous  zr -calculus  (1992).  The  only  new  rules 
are: 

•  flS|}  ^  S,  which  is  missing  from  boudol’s  paper.  This  rule  is  required  to  prove  the 
result  that  for  any  solution  S  there  is  a  process  P  such  that  S  {}/*(}.  For  example, 
we  cannot  show  flpiyzJDI)  JT[yz]|}  without  this  rule. 

•  [x  —  x ]P  P  and  [x  yt  y]P  P  whenever  x  #  y,  which  gives  semantics  for  the 

conditional  operators  missing  from  boudol’s  paper. 

•  A(x)  t”  P[x/y]  whenever  ^(y)  =  P ,  which  gives  semantics  for  recursive  definitions 
which  were  not  used  in  BOUDOL’s  paper. 

We  can  define  much  of  the  same  vocabulary  for  this  CHAM  as  we  did  for  the  graph  reduction 
CHAM. 


fiSfi  s 
p  I Q  ^  p.  Q 

vx.P  ^  vjr.flPB 

m,  vx.m'  vx.fi m,  m'8  (x  £  fvm) 

vx.m  ^  vy.(m[y/x])  (y  gb/m) 
vxy.m  ^  vyx.m 
vxx.m  ^  vx.m 
[x  =x)P  ^  P 
lx  *y)P^  P  (x  *  y) 

A(x)  Plx/y]  (A(y)  =  P) 
x[yz],  x{vui).P  i~*  Ply/v,  z/tv] 

Tibi*  2.  cham  lor  Swn -calculus 

•  A  molecule  is  a  positive  ion  with  valency  x  iff  it  is  x(yz).P. 

•  A  molecule  is  a  negative  ion  with  valency  jc  iff  it  is  3t[yz]. 

•  A  molecule  is  ionic  iff  it  is  a  positive  or  negative  ion. 

•  A  solution  is  plasmic  iff  it  is  ...,  P„  Off  or  {jPj . P„j}  and  each  P,  is  ionic. 

A  plasma  is  positive  (negative)  iff  it  contains  only  positive  (negative)  ions. 

We  can  give  a  translation  of  each  molecule  of  the  graph  reduction  CHAM  into  the  n- 
calculus.  This  uses  a  special  variable  *,  which  we  shall  use  to  represent  a  function  which 
is  being  evaluated,  but  which  has  not  (yet)  been  given  an  argument.  The  semantics  for 
terms  is: 

flxjz  =  x [*z] 
ffxyjz  =  x[yz] 

Ux.Mlz  =  !z(xy).([x  =  |  [x  ±  *]I[Mly) 

Irecx  :=  D  'mMJz  =  vx($DJx  IffAfJz)  (x  ^  z) 
where  MILNER’S  (1991)  replication  operator  is  defined: 

IP  =  !P  |  P 

Note  that  the  definition  of  f  Ajc.  Af  J  is  recursive,  which  is  why  we  are  taking  recursion  to  be 
primitive,  rather  than  replication.  It  is  not  obvious  whether  one  could  define  a  semantics 
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using  replication  for  which  there  would  be  a  one-to-one  correspondence  between  cham 
reductions  and  ;r -calculus  reductions.  Note  also  that  free*  :=  D  in  MJz  is  defined 
only  when  x  ^  z,  but  we  can  use  a -conversion  on  x  to  assure  this.  The  semantics  for 
declarations  is: 

ff!M]z  =  |[MJz 

t?MIz  =  z(xy).(z[xy]  |  IM]]z) 

The  semantics  for  molecules  is: 

lx  :=  £>]  =  IDJx 


Table  3.  A  sample  graph  reduction  intherr  -calculus 


Ivx.m]]  =  vx.ff/nl 

Iflmi, ....  =  {UtmiJ, ....  |[m„]10 

This  semantics  can  be  drawn  with  flow  graphs.  For  example,  if  we  draw: 

(J>)  for  IDJz 
z  ^  J  z 

0  for  |[!x]lz  (§)  for  ff?*]]z 

X  X 

z  z 

(!@)  for  [Ixyjz  (?@)  for  llxy^z 

x  y  x  y 

Then  the  reduction  of  E,  given  in  section  1  can  be  drawn  (with  some  extraneous  processes 
removed  to  account  for  garbage  collection)  in  Table  3.  This  is  exactly  the  same  reduction 
as  given  in  Section  3. 

In  general,  we  can  show  that  each  cham  reduction  is  matched  by  exactly  one  n- 
calculus  reduction,  and  thus  that  the  x -calculus  semantics  is  adequate  wrt  the  CHAM 
semantics  for  graph  reduction  (and  so  wrt  the  A. -calculus). 

Theorem  3  (adequacy).  //fSJ  c  [[S']]  then  S  c  S'. 
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Proof.  Given  in  (JEFFREY,  1992).  □ 

However,  it  is  not  fully  abstract. 

Theorem  4.  m  C  m'  does  not  imply  c  [m']. 

Proof.  Given  in  (JEFFREY,  1992).  O 

SANGIORGI  (1991)  has  investigated  X -calculi  semantics  for  which  Milner’s  7r -calculus 
translation  is  fully  abstract  It  is  an  open  problem  as  to  whether  similar  results  can  be 
shown  for  the  CHAM  for  graph  reduction. 
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Abstract 

Monads,  comonads  and  categories  of  algebras  have  become 
increasingly  important  tools  in  formulating  and  interpret¬ 
ing  concepts  in  programming  language  semantics.  A  nat¬ 
ural  question  that  arises  is  how  various  categories  of  eilge- 
bras  for  different  monads  relate  functorially.  In  this  paper 
we  investigate  when  functors  between  categories  with  mon¬ 
ads  or  comonads  can  be  lifted  to  their  corresponding  Kleisli 
categories.  Determining  when  adjoint  pairs  of  functors  can 
be  lifted  or  inherited  is  of  particular  interest.  The  results 
lead  naturally  to  various  applications  in  both  extensional  and 
intensional  semantics,  including  work  on  partial  maps  and 
data  types  and  the  work  of  Brookes/Geva  on  computational 
comonads. 


1  Introduction 

Monads,  comonads  and  categories  of  algebras  have  become  increas¬ 
ingly  important  tools  in  formulating  and  interpreting  concepts  in 

‘This  research  was  partially  supported  by  NSF  Grants  CCR-9002251,  CCR- 
9203106,  INT-9113406  and  a  Colgate  University  Picker  Fellowship. 
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programming  language  semantics.  The  existence  of  reflections  and 
coreflections  on  various  categories  of  epos  and  domains,  for  example, 
has  proven  to  be  a  special  case  of  comparison  functors  between  Kleisli 
and  Eilenberg-Moore  categories  of  algebras  while  initial  algebras  for 
various  monads  are  routinely  used  to  interpret  recursive  data  types. 
Final  coalgebras  and  invariant  objects  have  also  played  important 
roles,  such  as  describing  PER  semantics,  algebraic  completeness  and 
fixed  point  semantics  [CP],  [F],  [FMRS],  [Mul],  [Mu2]. 

In  refining  such  work  the  particular  role  played  by  special  mon¬ 
ads  has  been  profitably  emphasized.  For  example  the  existence  of 
partial  map  classifier(pmc)  monads  in  more  general  settings  than 
a  topos  was  addressed  in  [Mu3]  in  order  to  connect  the  notions  of 
pmc  and  partial  cartesian  closed  category  (pccc) .  Additionally  Kleisli 
categories  for  strong  monads  have  been  utilized  in  providing  a  gen¬ 
eral  interpretation  for  abstract  programming  languages  [Mo].  In  a 
different  direction  Kleisli  categories  of  comonads,  particularly  com¬ 
putational  comonads,  have  been  used  to  describe  an  intensional  se¬ 
mantics  in  which  comonads  represent  different  possible  notions  of 
computationfBG],  Despite  the  success  in  utilizing  different  monads 
and  comonads  in  separate  semantic  contexts,  little  work  to  date  has 
examined  how  the  corresponding  categories  of  algebras  might  relate 
functorially  and  what  effect  this  has  on  the  associated  semantics. 

In  this  paper  we  address  this  question  by  considering  when  func- 
torial  processes  on  categories  with  associated  monads  can  be  lifted 
to  their  corresponding  Kleisli  categories.  We  also  investigate  con¬ 
ditions  under  which  adjoints  may  be  either  lifted  or  inherited.  A 
key  step  is  the  observation  that  the  presence  of  a  lifting  is  equiva¬ 
lent  to  the  existence  of  a  natural  transformation  satisfying  certain 
equations.  Equally  important  are  the  wide  variety  of  examples  that 
arise  in  this  setting.  We  also  find  that  some  timely  issues  gain  a 
new  perspective  when  examined  from  this  viewpoint.  For  example 
the  notion  of  monadic  strength,  which  plays  an  important  role  in 
calculations  for  computational  lambda  calculi,  is  a  special  case  of 
the  required  existence  of  a  natural  transformation.  Conditions  en¬ 
abling  cartesian  closure  for  semantic  categories  also  naturally  arise 
through  the  lifting  of  adjoints  as  do  interpretations  of  partial  data 
types.  Examples  such  as  Moggi's  extension  construction  () ,  as  well 
as  Brookes  and  Geva’s  foundational  work  on  intensional  semantics 
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can  be  interpreted  and  generalized  in  this  setting  as  well. 

Some  acknowledgements  are  in  order.  It  would  be  amiss  if  I  did 
not  mention  the  hospitality  of  LFCS,  Edinburgh,  where  much  of 
the  early  work  on  this  paper  was  completed.  I  would  like  to  thank 
Martin  Hyland  whose  perceptive  questions  on  a  visit  to  Cambridge 
helped  motivate  part  of  this  enquiry.  The  work  in  [J]  for  the  case  of 
Eilenberg-Moore  algebras  had  a  significant  effect  on  both  the  expo¬ 
sition  and  content  of  the  basic  mathematical  results.  Thanks  also  to 
Ernie  Manes  for  some  useful  comments  and  suggestions. 

2  Lifting  Theorems 

We  begin  by  considering  monads  (H ,  r/,  p)  and  ( K ,  p,  u)  on  categories 
C  and  D  respectively.  Let  T  be  a  functor  T  :  C  ->  D.  We  are  inter¬ 
ested  in  determining  when  T  can  be  extended  to  a  functor  between 
the  corresponding  Kleisli  categories.  We  start  with  a  definition  mak¬ 
ing  this  notion  precise.  Let  iff  denote  the  inclusion  functor  from  C 
to  Ch- 

Definition  2.1  A  functor  T  :  Ch  — >  Dk  is  a  lifting  of  T  if  T  o  iH  = 
iff  o  T  or  equivalently  that  the  following  diagram  commutes. 

CH  5  DK 

iH  t  in  t 
C  4  C 


We  wish  to  specify  when  a  given  functor  T  has  a  lifting.  The  next 
result  produces  such  conditions.  For  similar  results  in  the  algebra 
case  see  [A],[J],[Ma]. 

Theorem  2.2  For  C,  D,  H,K,T  as  above,  functors  T  :  Ch  -* ►  Dr 
which  are  liftings  are  in  1-1  correspondence  with  natural  transfor¬ 
mations  of  the  form  A  :TH  -+  KT  that  satisfy  the  following 

1)  A  o  Ttj  =  pr 

2)  ur  °  K\  o  XH  ~  A  o  Tp. 
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Proof  :  Given  A  :  TH  -*  KT  and  /  :  .4  ->  D  an  arrow  in  Ch 
( i.e .  map  A  -»  HD  in  C),  Tf  is  defined  as  Ab  o  T f  :  TA  ->  KTD. 
Some  diagram  chasing  ensures  that  T  is  well  defined  and  generates 
the  desired  commutative  diagram.  For  example  T(idA)  =  A4  o  Tt]A  : 
TA  ->  KTA  —  pta  —  idrA  in  Dk- 

Conversely  suppose  a  lifting  T  of  T  exists.  We  denote  the  right 
adjoints  to  in  and  iff  by  GB,  Gk  respectively.  First  define  the 
natural  transformation  A  :  T  o  GB  ->  Gk  0  T  as  the  transpose  of 
Te  :  TiHGH  — >  T  where  iff  0T0  G#  =  T  oiH  o  GH.  Composing  by 
in  gives  the  desired  natural  transformation  A  =  A  o  iH.  Once  again 
some  diagram  chasing  shows  A  satisfies  the  required  equations.  □ 

The  existence  of  a  natural  transformation  A  for  monads  H  and 
K  satisfying  the  equations  of  2.2  is  not  that  unusual.  In  fact  several 
well  known  examples  such  as  tensorial  strength  and  units  of  a  monad 
are  special  cases  of  A  as  the  next  few  examples  illustrate. 

Example  2.3  Let  category  C  be  cartesian  with  monad  H  and  endo- 
functor  T=  -xD  for  D  an  object  in  C.  The  functor  T  has  a  lifting  iff 
there  exists  a  natural  transformation  A^b  :  HA  x  D  -4  H(A  x  D) 
satisfying 

1)  A a,b  o  t]A  x  B  =  tjAxB 

2)  Haxb  0  H\a<b  o  Xha  b  =  XA  B  o  pA  x  D. 

These  are  precisely  the  equations  corresponding  to  tensorial  strength 
and  the  notion  of  strong  monad  [K].  Recall  a  monad  H  is  strong  if 
there  'xists  a  natural  transformation  A^b  satisfying  1)  and  2).  See 
[Mu2]  for  details.  It  is  an  easy  matter  to  make  A  natural  in  both  A 
and  D  by  considering  the  monad  H  X  H  on  C  x  C,  letting  T  be  the 
functor  _  x  and  utilizing  the  unit  of  the  monad.  Thus  tensorial 
strength  is  a  special  case  of  the  existence  of  a  natural  transformation 
for  a  lifting. 

Corollary  2.4  Tensorial  strength  exists  for  monad  H  on  cartesian 
category  C  iff  products  in  C  lift  to  Ch- 

Proof  :  The  result  is  immediate  from  Theorem  2.2  and  Example 
2.3.  □ 

Example  2.5  Suppose  C  and  D  agree,  C  has  the  trivial  identity 
monad  and  K  becomes  H.  Then  for  a  given  endofunctor  T  of  C, 
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the  natural  transformation  rfr  :  T  -»  HT  satisfies  the  equations  of 
Theorem  2.2  and  so  a  lifting  T  :  C  ->  Ch  exists.  Conversely  if  T 
exists  then  T  =  iff  o  T  and  so  A  must  be  rfr.  In  particular  when  T 
is  the  identity,  A  is  just  the  unit  of  the  monad  H,  tj,  and  T  =  iH. 

Example  2.6 Suppose  C  and  D  agree,  K  is  the  trivial  identity  monad 
and  T  is  the  monad  H  itself  on  C.  In  this  case  H  has  a  lifting  and  the 
corresponding  natural  transformation  is  just  p  :  A  :  H2  ->  H.  The 
equations  of  Theorem  2.2  hold  and  reduce  to  the  identities  po  Hi)  = 
idjf  and  p  o  pH  =  p  o  Hp.  The  lifting  H  is  the  right  adjoint  to  iH, 
namely  Gff. 

Lemma  2.7 Lifting  distributes  over  composition,  i.e.  13 oT  =  $T. 
Proof :  Let  H,  K,  J  be  monads  on  C,  D,  E  respectively  with  func¬ 
tors  T  :  C  — >  D  and  S  :  D  — >  E.  Suppose  that  T  and  S  have 
liftings  T,  3?  respectively  where  A '  :TH  -t  KT  and  A"  :  SK  — >  JS 
are  the  natural  transformations  corresponding  to  T  and  satisfying 
the  equations  of  Theorem  2.2.  There  then  exists  a  natural  trans¬ 
formation  A  =  Ay  o  S\‘  :  STH  ->  JST.  A  little  diagram  chasing 
will  readily  show  that  A  satisfies  the  appropriate  equations  and  thus 
produces  a  lifting  ST  of  ST.  However  since  T  and  15  are  liftings,  the 
composition  ^  o  T  is  also  a  lifting  of  ST.  For  /  :  .4  — >  HD  an  arrow 
in  Ch,  Sof(/)  =  Ay  o5A#  oST(f)  and  thus  the  lifting SoT  agrees 
with  ST.  □ 

If  we  were  not  interested  in  providing  a  formula  for  A  in  the 
above  proof,  one  could  easily  prove  the  lemma  by  composing  the 
two  commutative  squares.  We  also  note  that  it  need  not  be  true  that 
id  =  id  as  Example  2.5  illustrates.  This  point  will  be  emphasized  in 
the  next  section. 

Corollary  2.8  Let  monad  ( H,  j},p )  be  a  monad  on  C.  The  comonad 
associated  to  H  can  be  generated  as  a  lifting. 

Proof  :  Given  monad  ( H,rj,p )  we  have  the  adjunction  in  H  Gjj. 
The  comonad  formed  by  the  adjunction  is  simply  H*  =  in  °  Gh- 
Let  C,  D  and  E  agree,  T  be  the  monad  functor  H,  K  =  S  be  the 
identity  functor  on  C,  and  J  =  H.  By  Example  2.6,  X  associated  to 
T  is  just  p  and  the  lifting  of  T  is  exactly  Gh.  By  Example  2.5,  A” 
associated  to  S  is  T)  and  the  lifting  S  is  iff.  Thus  by  Lemma  2.7  the 


309 


natural  transformation  A  =  i)h0P  satisfies  the  equations  of  Theorem 
2.2  and  corresponds  to  the  lifting  IT  =  iff  o  Gh  =  H*.  □ 

We  wish  to  examine  how  adjunctions  on  liftings  relate  to  adjunc¬ 
tions  on  the  original  functors.  The  theorems  that  follow  address  this 
question. 

Theorem  2.9  Let  T,  T,  A,  H,  K  be  as  in  Theorem  2.2.  If  K  is  a 
cartesian  monad  and  C  has  equalizers  of  coreflexive  pairs,  then  T 
has  a  right  adjoint  implies  so  does  T. 

Proof  :  Because  K  is  cartesian,  any  object  X,  in  D  is  an  equalizer 

4 

of  a  coreflexive  pair  of  the  form  KX  -4  KKX.  In  fact  the  equal¬ 
izer  is  just  the  unit  of  the  monad,  px.  Since  GH  and  GK  are  right 
adjoints  and  adjoints  are  unique  up  to  iso,  if  R  exists  we  must  have 
RGk  =  GfjR.  Thus  we  know  what  R  is  on  cofree  objects  but  by  the 
above  every  object  in  D  is  an  equalizer  of  cofree  objects.  Since  R 
must  preserve  equalizers,  we  expect  RX  to  be  the  equalizer  of  a  pair 
_  4 

of  maps  /, g  ,  GjjR  -4  GffR.  We  construct  the  maps  f.g  in  C  as 
follow's.  The  map  f  is  just  GhR^kPx)-  For  g,  first  take  the  compos¬ 
ite  ikGk^ikx  °  i-K^jiiKx  where  e  is  the  counit  of  the  adjunction  T,  R 
and  A  refers  to  the  natural  transformation  of  Theorem  2.2.  Taking 
the  transpose  once  g}vesjHGHRiKX  ->  Rih-KX  and  a  second  time 
gives  GjfRixX  — »  G^Ri^KX .  Some  diagram  chasing  show's  that 
the  constructed  maps  /,  g  do  the  job.  □ 

In  [Mul]  it  is  shown  that  every  ccc  C  with  a  pmc  generates  a 
pccc  which  is  equivalent  to  its  associated  Kleisli  category  Ch-  The 
next  result  gives  a  partial  converse  to  this  result.  An  alternative 
approach  can  be  found  in  [Mu3]. 

Corollary  2. 10  Let  pC  be  a  pccc  where  C  has  equalizers  of  coreflexive 
pairs,  then  C  is  a  ccc. 

Proof  :  Since  pC  is  a  pccc,  it  has  a  pmc  K  which  is  a  cartesian 
monad  and  for  which  pC  is  equivalent  to  Ci<:(see  [Mu3]).  If  T  de¬ 
notes  the  endofunctor  _xi?  :  C  ->  C,  then  there  exists  a  lifting 
T  :C  ->  Ck  where  the  monad  H  is  the  identity  and  A  i ,  just  the 


unit  natural  transformation  pr-  Since  pC  is  a  pccc,  T  has  a  right 
adjoint  77  and  thus  by  Theorem  2.9  so  does  T  and  we  are  done.  □ 

Example  2.11  Let  C  be  a  model  of  the  computational  lambda  cal¬ 
culus,  Ac,  in  the  sense  of  [Mo]  where  monad  T  is  cartesian.  If  C  has 
equalizers  of  coreflexive  pairs  then  C  is  a  ccc.  The  proof  is  essentially 
the  same  as  in  Corollary  2.10. 

Example  2. 12  Let  C  be  either  category  pDOM  or  pCPO.  It  is  well 
known  that  these  categories  are  pcccs.  Although  neither  DOM  nor 
CPO  is  closed  under  equalizers  of  even  coreflexive  pairs,  they  do 
have  equalizers  for  the  coreflective  pair  /,  g  generated  by  Theorem 
2.9.  If  K  is  the  pmc  lift  monad  associated  to  pC  and  T  is  the  functor 
_xl?,  then  in  this  case  f  and  g  are  just  (px)±  and  (Px±)B  respectively 
for  X  in  C,  where  p  is  the  unit  of  the  lift  monad  ()_l- 

Theorem  2.13  Let  C,  D,  H.K.T.T  be _as  in  Theorem  2.2.  The 
natural  transformation  A  is  an  iso  iff  GrT  =  TGH. 

Proof  :  Suppose  A  :TH  KT  is  an  isomorphism.  In  the  proof  of 
Theorem  2.2  it  was  shown  that  A  =  A  o  iff.  If  A  is  an  iso  it  follows 
easily  that  A  is  also  iso  and  thus  GhT  —  TGH.  Conversely  suppose 
that  we  have  an  isomorphism  GrT  S£  TGH.  Since  T  is  a  lifting  we 
have  an  isomorphism  TH  =  TGififj  —  G^Tin  =  GKiKT  =  KT. 
It  is  easily  checked  that  the  isomorphism  satisfies  the  conditions  of 
Theorem  2.2  and  thus  must  be  A.  □ 

Corollary  2.14  Let  C,  D,  H,  K,  T.T  be  as  in  Theorem  2.2.  If  T 
is  a  full  embedding  and  A  is  an  iso  then  the  lifting  T  is  also  a  full 
embedding. 

Proof  :  Let  f,g  be  arrows  in  Ch  and  suppose  X(/)  =  T(g).  Then 
A  o  T(f)  =  A  o  T(g).  Since  A  is  mono,  T(f)  =  T(g)  and  T  an 
embedding  implies  that  f  =  g  and  so  T  is  faithful.  Now  suppose 
h  :  T(A)  -4  T(D)  is  a  map  in  Dk,  i.e.  h  :  T(A)  -»  KT(D)  is 
a  map  in  D.  Since  T  is  a  lifting  and  T  is  full,  there  exists  a  map 
k  :  A  -»  H(B)  in  C  so  that  T(k)  =  A-1  o  h.  But  k  is  a  map  in  Ch 
and  so  T(k)  =  A  o  T(k)  =  h.  Thus  T  is  also  full  and  we  are  done.  □ 

Example  2.15  Let  C  have  a  pmc  monad  H.  In  [Mu3]  it  is  shown  that 
H  must  be  the  restriction  of  a  pmc  ( )  in  the  presheaf  category  C  over 
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C,  i.e.  there  exists  a  natural  transformation  which  is  an  isomorphism 
YH  S  ()pY,  where  Y  is  the  Yoneda  embedding.  What’s  more  the 
isomorphism  satisfies  the  equations  of  Theorem  2.2.  By  Theorem 
2.13  then  there  exists  a  lifting  Y  of  Y  and  by  Corollary  2.14,  Y  is 
also  an  embedding.  The  following  diagram  then  commutes  where 
the  vertical  pairs  form  adjoint  pairs. 

C„  5  c()r 

i  Ti  Gh  i  ti  ()p 

c  4  c 


The  lifting  of  Y  in  the  previous  example  is  different  from  the  ex¬ 
tension  construction  (),  found  in  [Mo].  There  ()  is  computed  using 
Kan  extensions  and  is  applied  directly  to  monads,  though  the  con¬ 
struction  can  be  readily  related  to  the  present  context  as  Example 
2.17  shows.  The  results  of  the  last  example  also  can  be  utilized  to 
describe  how  pcccs  can  be  incorporated  inside  the  setting  of  Kleisli 
categories  of  pmc  monads  on  cartesian  closed  categories. 

Corollary  2.16  Every  pccc  pC  can  be  fully  embedded  inside  the 
Kleisli  category  of  a  cartesian  closed  category. 

Proof  :  Since  pC  is  a  pccc ,  C  has  a  pmc  monad  H  for  which  pC 
is  equivalent  to  Ch  (see[Mu3]).  By  the  previous  example  H  is  the 
restriction  of  a  pmc  ()p  in  C  and  thus  the  Yoneda  embedding  has  a 
lifting  to  pC  which  is  again  a  full  embedding.  □ 

Example  2.17 The  ()  construction  on  monads  found  in  [Mo]  fits  nicely 
in  the  general  context  of  the  results  above.  For  a  given  monad  H 
on  C,  the  existence  of  an  extension  ( H )  simply  provides  a  trivial 
natural  transformation  which  is  just  an  identity  A  :  YH  =  ( H)Y . 
Likewise  the  corresponding  equations  trivialize.  Although  there  is 
no  mention  of  this  in  [Mo],  by  Theorem  2.2  there  is  also  a  lifting  of 
Y,  Y  :  Ch  ->  to  the  Kleisli  categories.  The  other  properties 
listed  there,  such  as  preservation  of  strength,  follow  immediately  as 
a  consequence  of  Corollary  2.14. 
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We  include  the  next  result  for  completeness.  Although  we  do 
not  use  it  now,  the  dual  result  plays  an  important  role  in  comonadic 
computation.  See  Theorem  3.5  below. 

Theorem  2.18  Let  C,  D,  H,K,T,T  be  as  in  Theorem  2.13.  If  T  has 
a  left  adjoint  then  so  does  T. 

Proof  :  The  proof  follows  the  approach  in  [J].  Suppose  L  H  T 
exists.  Since  GKT  =  TGn,  if  a  left  adjoint  L  to  T  exists  it  must 
satisfy  in  o  L  =  X  o  iK.  Thus  T  is  a  lifting  of  L  and  can  be  defined 
by  specifying  a  natural  transformation  6  :  LK  — >  HL.  Defining 
9  =  chl  °  LX~lL  o  LKu  where  u  and  c  denote  the  unit  and  the 
counit  respectively  of  the  adjunction  L  H  T,  provides  the  necessary 
natural  transformation.  Some  diagram  chasing  shows  that  9  satisfies 
the  equations  of  Theorem  2.2.  □ 

3  An  Application  using  Duality 

The  past  section  dealt  with  lifting  theorems  for  Kleisli  categories 
of  monads  and  various  applications.  In  this  section  we  examine 
an  application  that  exploits  the  dual  results  to  those  presented  in 
section  2,  namely  w-e  consider  how7  lifting  theorems  for  comonads 
can  be  utilized  to  model  intensional  semantics  in  the  sense  of  [BG]. 

In  [BG],  a  categorical  approach  to  intensional  semantics  is  devel¬ 
oped.  If  the  extensional  meaning  of  a  program  is  represented  by  a 
map  in  category  C,  then  for  a  suitable  choice  of  comonad  H  on  C, 
HA  can  be  viewed  as  an  object  of  computations  over  .4,  for  any  ob¬ 
ject  A  in  C.  The  intensional  meaning  of  a  program  is  then  interpreted 
as  a  map  from  computations  to  values,  i.e.  a  map  in  the  Kleisli  cat¬ 
egory  of  the  comonad  H.  By  defining  a  computational  comonad  in 
[BG],  an  extensional  equivalence  relation  on  algorithms  is  obtained 
thereby  allowing  reasoning  at  different  levels  of  abstraction. 

We  consider  comonads  (H,  e,  S)  and  (A',  a,  ff)  on  categories  C  and 
D  respectively.  T  is  a  functor  T  :  C  — »  D  and  again  we  are  interested 
in  determining  when  T  can  be  lifted  to  a  functor  T  :  Ch  ->  Dk 
between  the  corresponding  Kleisli  categories  for  the  comonads.  As 
before  the  lifting  of  T  satisfies  To  in  =  in  o  T  where  in  is  the  usual 
functor  C  -»  Ch  with  adjoint  Gn-  Now  the  functor  in  is  a  right 
adjoint. 


313 


Theorem  3.1  For  C,  D,  H,K,T  as  above,  functors  T  :  Ch  — ►  Dk 
which  are  liftings  are  in  1-1  correspondence  with  natural  transforma¬ 
tions  of  the  form  o  :  KT  — >  TH  that  satisfy  the  following  equations. 

1)  Te  o  o  =  aT 

2)  oh  0  ATer  o  fir  =T6o<r. 

Proof  :  This  is  just  the  dual  of  Theorem  2.2.  □ 

Example  3.2  Let  (H.  e,6)  be  a  comonad  on  C.  In  [BG]  a  comonad  is 
called  computational  if  there  exists  a  natural  transformation 
y  :id  -¥  H  satisfying 

1)  £07  =  id 

2)  Soy  =  yH  o  7 


It  is  then  shown  that  a  computational  comonad  produces  functors 
alg  and  fun  and  an  extensional  equivalence  of  maps  is  achieved.  The 
functors  alg  and  fun  are  just  special  cases  of  the  lifting  construction. 
Specifically,  let  C  =  D,  H  be  the  identity  comonad,  and  K  =  H  in 
the  setup  of  Theorem  3.1.  If  T  is  the  identity  functor  on  C  then 
by  the  dual  to  Example  2.5,  T  :  C  — >  Ch  is  just  in  which  is  just 
alg  and  the  natural  transformation  o  generated  by  the  lifting  is  just 
the  counit  of  the  comonad  H,  namely  e.  Reversing  the  direction  of 
the  lifting  where  T  is  still  the  identity,  the  existence  of  a  lifting  T  : 
Ch  — >  C  corresponds  to  the  existence  of  a  natural  transformation 
cr  :  KT  — ►  TH  satisfying  the  equations  of  theorem  3.1.  In  this  case 
<7  becomes  y  :  id  — ►  H  and  the  equations  reduce  to  those  above 
defining  a  computational  comonad.  Further  the  lifting  T  :  Ch  ->  C 
is  exactly  fun  where  being  a  lifting  forces  fun  to  satisfy  funoalg  = 
idc  as  required.  Since  alg  and  fun  are  both  liftings  it  also  follows 
immediately  that  alg  o  fun  =  id  which  is  not  idcH  but  rather  only 
the  identity  up  to  the  equivalence  relation  generated  by  fun.  It 
should  be  remarked  that  the  equivalence  relation  defined  on  fun 
in  [BG]  is  a  special  case  of  a  more  general  construction  described 
in  Example  3.4  below.  So  y  exists  iff  fun  exists  and  is  a  lifting. 
Thus  proposition  4.2  in  [BG]  should  actually  be  an  equivalence.  For 
completeness  we  state  the  result  formally. 
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Theorem  3.3  Let  ( H,e,6 )  be  a  comonad  on  C .  H  is  computational 
iff  the  functor  fun  :  Ch  ->  C  with  the  appropriate  identities  exists 
iff  the  lifting  of  the  identity  functor  on  C,  u? :  Ch  C  exists.  □ 

Example  3.4  Let  F  :  C  ->  D  be  a  functor.  We  can  always  define  an 
equivalence  relation  R  on  C  as  follows:  for  any  two  arrows  f  and  g 
in  C,  f  R  g  iff  F(f)  =  F(g).  It  follows  from  functorality  that  R  is  a 
congruence  relation(respects  composition)  and  the  quotient  category 
C/R  is  nothing  more  than  the  category  generated  by  the  image  of 
F.  Since  E  =  algo  fun  in  Example  3.2  is  a  split  idempotent  factoring 
through  C,  it  follows  immediately  that  the  quotient  category  of  Ch 
via  E  is  isomorphic  to  C  and  that  alg  o  fun  is  the  identity  up  to  the 
equivalence  relation.  The  extensional  collapse  found  in  [BG]  then 
follows  directly  from  the  above  remarks. 

If  C  has  products  then  for  comonad  H  on  C  it  is  easy  to  show 
that  Ch  also  has  products.  In  [BG]  it  is  shown  that  the  existence 
of  such  products  implies  the  existence  of  a  natural  transformation 
satisfying  certain  equations.  In  the  case  of  T  the  product  functor, 
these  equations  coincide  with  those  of  Theorem  3.1.  More  however 
can  be  said  as  the  converse  is  also  true.  The  following  corollary 
provides  a  different  proof  while  showing  that  the  conditions  are  in 
fact  equivalent. 

Corollary  3.5  Let  C  be  a  cartesian  category  with  comonad  H.  Prod¬ 
ucts  in  Ch  which  lift  products  from  C  correspond  to  the  existence 
of  natural  transformations  a:H(_  x  _  )— >  H  _  x  H_  satisfying  the 
following  equations 

1)  f-A  x  eB  o  o  =  eAxB 

2)  SA  x  8b  o  o  =  oha.hb  0  Ho  o  5Axb 

Proof  :  Immediate  from  Theorem  3.1  where  K  =  H  and 
T  =  _  x  _  .  □ 

We  note  that  a  third  equation  appears  in  [BG]  which  is  present 
because  of  the  assumption  of  a  computational  monad.  The  details 
are  explained  next. 

Example  3.6  The  third  equation  referred  to  above  is  a  o  7_x_  = 
7x7.  It  arises  by  changing  the  codomain  of  the  lifting  from  Ch 
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to  C.  Specifically  the  equation  can  be  derived  by  utilizing  the  dual 
to  lemma  2.7.  Namely  letting  T  =  _  x  _  and  S  be  the  identity  on 
C,  we  generate  two  corresponding  natural  transformations  which  are 
precisely  a  and  7  respectively.  The  natural  transformation  generated 
by  the  composition  ST  is,  by  the  dual  to  Lemma  2.7,  o oyT  or  ooj_x_ 
but  is  also  equal  to  T7  or  (7  X  7)  by  the  dual  to  Example  2.5. 

Theorem  3.7  Let  T,  T,X,H,K  be  as  in  Theorem  3.1.  If  K  is  a 
cocartesian  comonad  and  C  has  coequalizers  of  reflexive  pairs  then 
T  has  a  left  adjoint  implies  so  does  T. 

Proof :  This  is  just  the  dual  of  Theorem  2.9.  □ 

Theorem  3.8  Let  C,  D,  H,  K,T,T  be  as  in  Theorem  3.1.  The  natural 
transformation  o  is  an  iso  iff  2*  TGh- 

Proof :  This  is  just  the  dual  of  Theorem  2.13.  □ 

In  [BG],  the  issue  of  exponentiation  is  raised.  There  the  dual 
concern  to  that  raised  in  section  2  emerges,  namely  given  that  C  is 
a  ccc,  when  is  Ch?  A  known  sufficient  condition  is  that  T  preserve 
products(see  Corollary  3.10  below).  In  section  2  we  were  able  to 
exploit  the  dual  of  theorem  3.7.  Now  we  turn  to  the  dual  of  theorem 
2.18  which  produces  a  general  result  which  can  be  easily  applied  to 
the  above  remarks. 

Theorem  3.9  Let  C,  D,  H,  K,T,T  be  as  in  Theorem  3.8.  If  T  has  a 
right  adjoint  then  so  does  T. 

Proof  :  This  is  just  the  dual  of  Theorem  2.18.  □ 

The  last  theorem  now  gives  us  an  easy  proof  of  the  following  well 
known  result. 

Corollary  3.10  Suppose  C  is  a  ccc  and  H  is  a  comonad  on  C  that 
preserves  products.  Then  Ch  is  a  ccc  also. 

Proof :  Since  C  is  cartesian,  both  T  and  o  exist  by  Theorem  3.3 
(where  T  =  _  x  _ ).  Since  H  preserves  products,  o  is  an  isomorphism 
and  also  since  C  is  a  ccc,  T  has  a  right  adjoint.  By  Theorem  3.9  T 
also  has  a  right  adjoint  and  we  are  done.  □ 

Example  3.11  Corollary  3.10  gives  sufficient  conditions  for  Ch  to  be 
a  ccc.  As  pointed  out  in  [BG],  the  increasing  paths  comonad  H  on 


Scott  domains  provides  an  example  of  corollary  3.10  since  H  pre¬ 
serves  products.  Since  many  interesting  comonads  do  not  preserve 
products,  the  weaker  notion  of  a  computational  pairing  is  introduced 
in  [BG].  This  consists  of  a  pair  of  natural  transformations 

split  :  H(  _  x  _ )  — >  H(>)  x  H(_) 

merge  :  H(-)  x  H(„)  ->  H(.  x  . ) 

and  six  identities.  We  now  show  how  these  ideas  fit  our  general 
setup.  Consider  the  setup  of  Corollary  3.5  so  K  =  H  and 
T  =  _  x  _  .  The  transformation  split  is  just  the  usual  natural 
transformation  a  :  KT  — >  TH  of  Theorem  3.1  and  merge  is  a 
transformation,  A  :  TH  — >  KT,  in  the  reverse  direction  so  that 
the  diagrams  generated  by  a  remain  commutative  with  A  inserted. 
While  split  then  is  just  the  transformation  guaranteed  by  the  lift¬ 
ing  of  T,  merge  is  an  approximation  of  the  natural  transforma¬ 
tion  necessary  to  induce  a  lifting  of  T  with  respect  to  GB  and 
Gk  •  Since  merge  is  not  generally  er-1,  by  Theorem  3.8  it  does 
not  satisfy  T  o  GH  =  GK  o  7.  There  is  sufficient  structure  how¬ 
ever  so  that  for  any  map  /  :  HA  ->  D  in  Ch  and  for  any  T, 
mergeB  o  TGH(f)  =  GK7(f)  o  mergeA  holds.  Continuing  in  this 
way  allows  one  to  produce  a  weaker  version  of  Theorem  3.9  for  a 
weaker  notion  of  right  adjoint.  In  the  case  at  hand  one  produces  a 
weak  form  of  exponentiation  as  described  in  [BG].  Of  course  when 
merge  is  the  inverse  of  split,  a~l  is  an  iso  and  we  have  Theorem 
3.9.  More  generally  the  existence  of  A  allows  for  the  existence  of  a 
lifting  of  the  right  adjoint  to  T.  This  lifting  however  is  not  generally 
a  right  adjoint  to  T. 

As  is  correctly  pointed  out  in  [BG],  the  Kleisli  category  is  inde¬ 
pendent  of  the  choice  of  natural  transformations  split  and  merge. 
There  is  however  far  more  variation  present  in  our  setup.  Not  only  do 
the  natural  transformations  change  for  different  choices  of  comonad 
H  ,  but  they  can  also  change  for  different  liftings  of  a  fixed  H.  Fur¬ 
ther  one  is  not  restricted  to  generating  these  transformations  for  a 
fixed  functor  T:  =  _  x  _  but  rather  for  arbitrary  functors  T  :  C  — ►  D. 
Many  more  applications  of  these  results  thus  seem  possible. 

Generalizations  of  the  results  in  this  paper  are  certainly  possi- 


317 


ble.  For  example  one  can  combine  the  intensional  and  extensional 
approaches  by  considering  the  monadic  and  comonadic  approach  to¬ 
gether.  Work  in  that  direction  will  appear  elsewhere.  We  end  this 
section  with  a  different  example  of  how  the  extensional  semantics  of 
section  2  and  the  intensional  semantics  of  this  section  can  be  neatly 
combined.  We  consider  comonad  (H,e,S)  and  monad  (K.p.v)  on 
categories  C  and  D  respectively.  If  T  is  a  functor  T  :  C  — ►  D  we 
wish  to  determine  when  T  can  be  lifted  to  a  functor  T :  Ch  — >  Dk 
from  the  Kleisli  category  on  comonad  H  to  the  Kleisli  category  on 
monad  K.  If  f  is  an  arrow  HA  B  in  C  then  T(f)  should  be  an 
arrow  TA  — >  KTB  in  D.  We  have  the  following  result. 

Theorem  3.12  Let  ( H,e,S )  be  a  comonad  on  C.  If  H  is  a  compu¬ 
tational  comonad  then  for  any  monad  (A\  p.  u)  on  any  category  D, 
and  any  functor  T  :  C  -»  D,  a  lifting  T *  :  Ch  ->  Dk  exists. 

Proof  :  Suppose  II  is  a  computational  comonad.  By  example  3.2, 
there  exists  a  lifting  id  :  Ch  — ►  C  which  generates  the  natural 
transformation  7  :  id  — >  H.  If  T  :  C  — >  D  and  monad  ( K ,  p.  v)  are 
arbitrary  then  by  an  analogous  argument  to  that  found  in  Example 
2.5,  T  =  iK  o  T  exists,  and  T*  =  T  o  id,  defines  a  lifting  where  for 
/  :  HA  ->  B  in  C,  T*(f)  =  prBT(f)T~,A.  □ 

A  converse  to  the  above  theorem  is  trivial  by  the  discussion  in 
example  3.2. 

4  Conclusion 

In  this  paper  we  have  considered  the  general  categorical  question  of 
when  functorial  processes  may  be  lifted  to  corresponding  Kleisli  cat¬ 
egories.  A  key  theme  is  the  recognition  of  the  relationship  between 
such  extension  results  and  the  existence  of  natural  transformations 
satisfying  certain  sets  of  equations.  Particular  attention  was  paid  to 
finding  conditions  that  ensured  that  adjoint  pairs  of  functors  could 
be  lifted  or  inherited.  This  led  naturally  to  various  applications  in 
both  extensional  and  intensional  semantics. 

Much  remains  to  be  done.  Special  cases  of  the  papers  results  may 
be  of  interest.  For  example  when  categories  C  and  D  agree  one  can 
enumerate  conditions  when  a  particular  endofunetor  on  C  extends 
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from  a  computational  calculus  generated  by  one  monad  to  a  compu¬ 
tational  calculus  generated  by  another.  This  extension  process  need 
not  be  unique  as  more  than  one  mediating  natural  transformation 
may  be  present.  In  light  of  the  recent  interest  in  the  use  of  monads 
there  should  be  many  fruitful  examples  to  explore,  particularly  for 
categories  used  to  model  semantics. 

In  a  different  direction  the  investigations  in  this  paper  have  proved 
useful  in  formulating  and  describing  results  in  sheaf  semantics(see 
[Mu4]).  In  fact  it  was  the  analysis  of  certain  technical  conditions 
in  this  area  that  first  motivated  the  questions  raised  in  this  paper. 
The  methods  have  come  into  play  by  helping  define  and  compare  in¬ 
trinsic  orderings  on  objects  in  categories  such  as  partial  equivalence 
relations,  building  towards  an  axiomatic  domain  theory. 

It  is  also  hoped  this  paper  will  help  contribute  to  our  understand¬ 
ing  of  the  algebraic  relationships  that  exist  between  various  semantic 
categories  that  implicitly  or  explicitly  utilize  monadic  structure.  De¬ 
spite  the  huge  volume  of  work  to  date  in  this  area  we  still  don't  have 
a  firm  grasp  of  many  of  the  fundamental  algebraic  mechanisms  at 
play;  mechanisms  for  example  that  determine  which  closure  proper¬ 
ties  and  evaluation  strategies  are  definable  or  inherited  when  moving 
from  one  semantic  setting  to  another. 

5  References 

[A  ]  Applegate  H.,  Acyclic  models  and  resolvent  functors ,  disserta¬ 
tion,  Columbia  University,  1965. 

[BG  ]  Brookes  S.,  Geva  S.,  Computational  comonads  and  inten- 
sional  semantics ,  Applications  of  Category  Theory,  LM- 
SLNS  177,  (1992)  1-44,  Cambridge  University  Press. 

[CP  ]  Crole  R.  L.,  Pitts  A.  M.,  New  Foundations  for  FixPoint  Com¬ 
putations. ,  Proceedings  of  LICS,  University  of  Pennsylvania, 
1990. 

[F  ]  Freyd  P.,  Algebraically  Complete  Categories ,  preprint,  1991. 

[FMRS  ]  Freyd  P.,  Mulry  P.,  Rosolini  G.,  Scott  D.,  Extensional 
PERs,  Information  and  Computation,  98  (1992),  211-227. 


319 


[J  ]  Johnstone  P.  T.,  Adjoint  Lifting  Theorems  for  Categories  of 
Algebras ,  Bull.  London  Math.  Soc.,  7  (1975),  294-297. 

[K  ]  Kock  A.,  Strong  functors  and  monoidal  monads ,  Arch.  Math., 
23  (1972),  113-120. 

[Ma  ]  Manes  E.  G.,  A  triple  miscellany:  some  aspects  of  the  the¬ 
ory  of  algebras  over  a  triple ,  dissertation,  Wesleyan  University. 
1967. 

[Mo  ]  Moggi  E. Motions  of  Computations  and  Monads ,  Informa¬ 
tion  and  Computation,  93  (1991),  55-92. 

[Mul  ]  Mulry  P.  S.,  Monads  and  Algebras  in  the  Semantics  of  Par¬ 
tial  Data  Types,  Theoretical  Computer  Science,  99  (1992), 
141-155. 

[Mu2  ]  Mulry  P.  S.,  Strong  Monads,  Algebras  and  Fixed  Points , 
Applications  of  Category  Theory,  LMSLNS  177,  (1992) 
202-216,  Cambridge  University  Press. 

[Mu3  ]  Mulry  P.  S.,  Partial  Map  Classifiers  and  Partial  Cartesian 
Closed  Categories,  to  appear. 

[Mu4  ]  Mulry  P.  S.,  Partial  Sheaf  Semantics ,  to  appear. 


Sequential  Functions  on  Indexed  Domains 
and  Full  Abstraction  for  a  Sub-language  of  PCF 


Stephen  Brookes  Shai  Geva 

brookesCcs . emu . edu  shaiQcs . emu . edu 
Carnegie  Mellon  University 
School  of  Computer  Science 
Pittsburgh,  PA  15213 

October  29,  1993 


Abstract 

We  present  a  general  semantic  framework  of  sequential  functions  on  domains  equipped 
with  a  parameterized  notion  of  incremental  sequential  computation.  Under  the  sim¬ 
plifying  assumption  that  computation  over  function  spaces  proceeds  by  successive  ap¬ 
plication  to  constants,  we  construct  a  sequential  semantic  model  for  a  non -trivial  sub¬ 
language  of  PCF  with  a  corresponding  syntactic  restriction  —  that  variables  of  function 
type  may  only  be  applied  to  closed  terms.  We  show  that  the  model  is  fully  abstract  for 
the  sub-language,  with  respect  to  the  usual  notion  of  program  behavior. 


1  Introduction 

A  semantics  for  a  programming  language  is  fully  abstract  with  respect  to  a  given  notion  of  program 
behavior  iff  the  semantics  distinguishes  between  two  terms  exactly  when  there  is  a  program  context 
in  which  the  terms  induce  different  behavior.  Intuitively,  a  fully  abstract  semantics  is  at  precisely 
the  right  level  of  abstraction  to  support  compositional  reasoning  about  behavior.  It  has  turned 
out  to  be  surprisingly  difficult  to  give  natural  (i.e.,  language-independent)  constructions  of  fully 
abstract  semantic  models  for  sequential  languages  such  as  PCF  [Plo77,  BCL85).  The  constructions 
of  fully  abstract  models  for  PCF  given  by  Milner,  Berry  and  Mulmuley  [Mil77,  Ber78,  Mul87]  are 
not  natural.  Yet  there  are  natural  fully  abstract  models  for  an  extension  of  PCF  with  parallel 
facilities  [Plo77]  and,  more  recently,  with  control  facilities  [CF92,  Cur92]. 

The  first  definitions  of  sequential  functions,  given  by  Milner  [Mil77]  and  Vuillemin  [Vui73],  were 
limited  to  functions  on  products  of  flat  domains.  Sazonov's  definition  of  sequential  functions  [Saz7-5] 
is  also  of  limited  scope.  Kahn  and  Plotkin  [KP78]  introduced  concrete  data  structures  and  con¬ 
crete  domains,  and  defined  sequential  functions  between  concrete  domains.  However,  the  sequential 
functions  between  two  concrete  domains  do  not  form  a  concrete  domain  (under  either  the  pointwise 
or  stable  orders).  Berry  introduced  di-domains,  stable  functions  and  the  stable  ordering  [Ber78]; 
the  stable  functions  between  two  di-domains,  ordered  stably,  form  a  di-domain.  However,  the 
stable  functions  do  not  provide  the  desired  notion  of  sequential  functions,  since  some  stable  func¬ 
tions  are  not  sequential.  Berry  and  Curien  [BC82,  Cur86)  defined  sequential  algorithms  between 
concrete  domains,  and  obtained  a  sequential  intensional  model  from  which  one  may  recover  the 
Kahn-Plotkin  sequential  functions  by  taking  an  extensional  quotient.  More  recently,  Bucciarelli 
and  Ehrhard  [BE91]  introduced  a  notion  of  strongly  stable  functions  between  qualitative  domains 
equipped  with  a  coherence  structure  (QDC’s),  generalizing  the  Kahn-Plotkin  definition.  In  earlier 
work  [BG92]  we  defined  sequential  functions  on  Scott  domains  that  generalized  Kahn  and  Plotkin’s 
sequential  functions,  and  we  obtained  several  closure  results  under  the  sequential  function  space. 

We  continue  here  the  investigation  of  sequentiality.  We  present  a  framework  of  indexed  domains, 
domains  equipped  with  a  parameterized  notion  of  incremental  sequential  computation,  formulated 
as  an  index  structure.  We  give  a  general  definition  of  sequential  functions  between  indexed  domains, 
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as  continuous  functions  that,  essentially,  respect  the  index  structure.  We  define  an  indexed  domain 
product,  and  show  closure  of  indexed  domains  under  the  sequential  function  space,  for  both  the 
pointwise  and  the  stable  orderings  (with  different  classes  of  underlying  domains).  Indexed  domains 
are  closely  related  to  Bucciarelli  and  Ehrhard’s  domains  with  coherence  structures;  we  discuss  this 
relationship  in  the  conclusion. 

Our  earlier  definition  of  sequential  functions  [BG92]  arises  when  all  domains  are  equipped  with 
a  particular  data-index  structure,  which  imposes  a  notion  of  incremental  computation  adequate  for 
domains  of  data.  This  is  the  index  structure  which  is  (implicitly)  present  in  Kahn  and  Plotkin’s, 
Milner’s  and  Vuillemin’s  definitions  of  sequentiality,  as  well  as  in  Berry  and  Curien’s  sequential 
algorithms  over  concrete  data  structures  and  the  language  CDSO  [BC85,  Cur86];  it  is  also  used  by 
Bucciarelli  and  Ehrhard  for  defining  sequentiality  at  first-order.  In  PCF,  however,  computation 
over  function  spaces  proceeds  in  an  inherently  different  manner,  and  thus  the  use  of  data-indices 
is  not  always  appropriate;  a  suitable  higher-order  notion  of  incremental  computation  is  called  for. 

The  framework  of  indexed  domains  and  sequential  functions  is  not  adequate  to  provide  a  fully 
abstract  model  for  PCF,  since  function  application  fails  to  be  sequential  according  to  our  defini¬ 
tions.  Nevertheless,  application  of  a  sequential  function  to  fixed  arguments  is  a  sequential  function 
in  our  sense.  We  introduce  a  new  higher-order  notion  of  constant-applicative  sequentiality,  'n  which 
computation  over  function  spaces  proceeds  by  successive  application  to  constants.  We  also  intro¬ 
duce  a  sub-language  of  PCF,  which  we  call  ca-PCF,  obtained  by  imposing  a  corresponding  syntactic 
constraint  on  uses  of  application:  variables  of  function  type  may  only  be  applied  to  closed  terms. 
We  show  that  a  sequential  model  employing  data  sequentiality  at  ground  types  and  the  pointwise 
order  and  constant-applicative  sequentiality  at  arrow  types  is  fully  abstract  for  ca-PCF,  with  re¬ 
spect  to  the  usual  notion  of  program  behavior.  We  have  not  yet  found  a  completely  satisfactory 
higher-order  notion  of  sequentiality,  since  the  lack  of  sequentiality  of  application  prevents  us  from 
•  Staining  a  cartesian  closed  category. 

2  Preliminaries 

We  assume  conventional  iornain-theoretic  definitions  and  notations.  The  original  definitions  of  sta¬ 
bility  are  due  to  Berry  [Ber78],  and  Zhang  (Zha9l)  gave  a  generalized  topological  characterization. 
We  generalized  Zhang's  definitions  to  Scott  domains  and  to  the  pointwise  order  in  [BG92],  where 
a  full  development  may  be  found. 

A  Scott  domain  is  a  directed-complete,  bounded-complete,  u>-algebraic  poset  with  a  least  ele¬ 
ment.  We  write  x  ff  y  to  indicate  that  x  and  y  are  bounded  (consistent).  We  write  K(D)  for  the 
set  of  isolated  (finite,  compact)  elements  of  D:  when  X  C  D  we  also  write  A  (A )  for  X  n  A  (D).  A 
dl-domain  is  a  distributive  Scott  domain  with  property  (I),  i.e.,  such  that  every  isolated  element 
dominates  finitely  many  elements.  A  (non-empty)  subset  -V  of  a  poset  is  filtered  iff  every  pair  of 
elements  of  X  has  a  lower  bound  in  X.  The  covering  relation  is  defined  by  setting  x  — <  y  iff  x  <  y 
and  the  set  {z  |  x  <  z  fe  z  <  y}  is  empty.  We  define  the  upper  set  of  x  e  D  by  T  x  =  {x  €  D  |  x  <  a}. 
For  uC£)lettti  =  U{ta:lI€  “}•  A  set  u  *s  up-closed  iff  u  =  T  u.  Similarly  the  lower  set  of  x  is 
1  x. 

An  arithmetic  domain  [GHK+80]  is  a  Scott  domain  with  the  finite  meet  property  (FM):  the 
meet  of  each  pair  (or  equivalently,  every  non-empty  finite  set)  of  isolated  elements  is  itself  isolated. 
Arithmetic  domains  are  a  proper  intermediate  class  of  domains  between  di-domains  and  Scott 
domains. 

In  an  algebraic  poset,  a  subset  p  C  D  is  Scott  open  iff  p  =  J  A'(p),  and  it  is  stable  open  if,  in 
addition,  it  is  closed  under  bounded  meets,  i.e.,  if  x\,x-i  €  p  and  ij  ft  xi  then  zi  A  ij  s  p.  Write 
Sc  D  for  the  set  of  Scott  opens  of  D  and  St  D  for  the  set  of  stable  opens  of  D.  For  every  x  e  h'(D), 
|  x  is  Scott  open  and  stable  open.  The  Scott  opens  and  the  stable  opens  of  a  domain  D  have  To 
separation,  i.e.,  for  every  x, y  €  D,  x  =  y  iff  {p  e  Sc  D  \  x  e  p}  =  {p  €  Sc  D  \  y  e  p},  and  likewise  for 
stable  opens. 

Scott  opens  define  the  Scott  topology.  Stable  opens  do  not  form  a  true  topology,  but  may  be 
regarded  as  a  generalized  topology.  Every  stable  open  may  be  decomposed  into  a  disjoint  union  of 
lobes,  which  are  Scott  open  filters.  In  a  dl-domain  every  lobe  has  a  least  element.  Stable  opens  of 


a  di-domain  are  therefore  upper  sets  of  pairwise  inconsistent  sets  of  isolated  elements,  coinciding 
with  Zhang’s  stable  neighborhoods  [Zha91]. 

A  function  f  :  D  —>  D'  is  Scott  continuous,  or  just  continuous ,  iff  f~lq  €  Sc  D  for  every 
q  e  Sc  D' .  Equivalently,  /  is  continuous  iff  it  is  monotone  and  preserves  directed  tubs.  A  function 
/  :  D  — ►  D'  is  stable  continuous,  or  just  stable,  iff  f~lq  e  St  D  for  every  q  e  St  D' .  Equivalently,  /  is 
stable  iff  /  is  continuous  and  preserves  bounded  meets,  i.e.,  if  X]  ff  xj  then  /(xj  A  x3)  =  fx\  A  /x3. 

For  continuous  functions  f,g:D  —  D',  we  define  the  pointwise  ordering  by  /  <  g  iff  fx  <  gx 
for  every  x  e  D  or,  equivalently,  f~lq  C  g~*q  for  every  q  e  Sc  D'.  We  write  Vp  F  f°r  the  pointwise 
lub  of  a  family  F  of  functions,  defined,  if  it  exists,  by  (Vp  F)x  =  V  {fx  |  f  e  F). 

Scott  domains  and  arithmetic  domains  are  closed  under  the  pointwise-ordered  continuous  func¬ 
tion  space.  All  existing  tubs  in  the  pointwise-ordered  continuous  function  space  are  taken  pointwise. 
Function  application  is  continuous,  and  the  category  of  Scott  domains  and  continuous  functions  is 
cartesian  closed,  with  a  full  sub-ccc  of  arithmetic  domains  and  continuous  functions. 

For  x  e  K(D)  and  y  €  K(D'),  define  the  step  function  [x=>j/] :  D  —  D'  by  setting  (x=>y)  x'  =  y 
if  x'  e  t  x,  and  [x=S-y]  x'  =  J.  otherwise.  The  notation  [x=>y]  will  imply  that  x  and  y  are  isolated. 
The  isolated  elements  of  the  pointwise-ordered  continuous  function  space  are  those  functions  which 
are  the  pointwise  lubs  of  finitely  many  step  functions. 

3  Sequentiality 

3.1  Sequential  Functions  on  Indexed  Domains 

In  order  to  model  sequential  computation,  we  equip  domains  with  a  parameterized  notion  of  indices, 
intended  to  formalize  incremental  steps  of  a  computation.  Let  an  index  function  for  a  domain  D 
be  a  function  I :  D  —>  V(St  D)  such  that  the  following  properties  hold,  for  every  x  e  D: 

•  True  increment:  For  every  r  €  lx,  x  t  r. 

•  Separation:  If  x  <  y  then  there  exists  r  e  lx  such  that  y  e  r. 

•  Upwards  motion:  If  x  <  y,  r  €  lx  and  y  (  r  then  r  e  ly. 

•  Finite  origin:  If  r  €  /(V  A)  and  A  is  a  directed  set  then  there  exists  x0  e  X  such  that  r  6  lx0. 
Equivalently,  in  an  algebraic  poset,  if  r  e  lx  then  there  exists  some  isolated  xo  <  x  such  that 
r  €  lx o- 

•  Definiteness:  For  every  r  e  lx,  r  =  T(min  r)  for  the  set  min  r  of  minimal  elements  of  r. 

(This  is  always  the  case  for  every  stable  open  of  a  di-domain.) 

An  indexed  domain  E  is  a  pair  E  =  (D,l)  of  a  domain  D  and  an  index  function  1  for  D.  When 
convenient  we  blur  the  distinction  between  an  indexed  domain  and  its  underlying  domain. 

For  x  e  E  and  j  C  |  x,  we  call  r  6  lx  an  index  of  s  at  x  iff  a  C  r.  We  write  l(x,s)  for  the  set 
of  indices  of  s  at  x,  /(x,s)  =  {r  e  lx  |  s  C  r}  . 

Operationally,  if  the  current  approximation  of  a  value  v  being  computed  is  x  then  an  index 
r  e  7x  is  intended  to  represent  a  possible  next  step  in  the  computation,  resulting  in  an  improved 
approximation  by  selecting  among  the  alternatives  that  the  index  offers.  A  sequential  computation 
over  a  domain  may  then  be  seen  as  a  sequence  of  choices  among  alternatives  posed  by  indices 
at  an  increasing  sequence  of  approximations.  The  index  function  determines  which  sequences  of 
approximations  may  be  computable.  It  may  help  to  think  of  v  as  an  input  value  to  a  program,  with 
the  program  improving  its  approximation  x  to  v  by  a  process  of  incremental  approximation,  until 
it  has  sufficient  information  to  determine  its  output  on  input  v.  One  may  also  think  of  a  program 
computing  a  sequence  of  ascending  approximations  to  some  target  output  value. 

A  stable  open  r  represents  a  choice  between  its  lobes.  Since  an  index  r  e  lx  is  definite,  i.e., 
r  =  t(minr),  the  choice  is  represented  even  more  concretely  as  a  choice  between  the  elements  of 
minr,  which  may  be  seen  as  competing  alternative  approximations  to  the  target  value  v.  The 
increment  in  information  will  be  to  x  V  y,  where  y  is  the  element  of  min  r  approximating  v.  Since  r 
is  stable  open,  its  minimal  elements  are  isolated  and  pairwise  inconsistent,  so  that  y  will  be  unique, 
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if  it  exists.  The  true  increment  property  guarantees  that  x  (  r,  and  thus  x  <  x  V  y.  If  v  (  r,  then  the 
computation  step  represented  by  r  may  be  said  to  diverge;  a  program  that  attempts  to  take  step 
r  at  x  is  undefined  for  input  v,  in  the  input  scenario,  or  may  not  output  v,  in  the  output  scenario. 
An  index  r  €  /(z,s)  of  s  at  x  may  be  seen  as  an  incremental  step  from  current  approximation  z 
towards  a  choice  represented  by  s,  in  that  it  guarantees  non-divergence  for  v  €  t s- 

A  subset  pC  E  is  sequential  open  iff  it  is  Scott  open  and,  for  every  z  e  E,  either  z  e  p  or  every 
finite  sCpflfz  has  some  index  at  z,  i.e.,  /(x.s)  ^  0.  Write  Sq  E  for  the  collection  of  sequential 
opens  of  E,  ordered  by  set  inclusion.  A  function  J  :  E  —  E'  is  sequential  iff  f~lq  e  Sq  E  for  every 
q  e  Sq  E'.  Let  E  E'  be  the  sequential  function  space  between  E  and  E\  ordered  pointwise. 
Thanks  to  the  generalized  topological  definition,  it  is  trivial  to  check  that  the  identity  functions  are 
sequential  and  that  composition  preserves  sequentiality,  so  that  indexed  domains  and  sequential 
functions  form  a  category  (for  any  underlying  class  of  domains). 

3.2  Sequentiality  in  Terms  of  Critical  Sets 

By  the  separation  property  of  indices,  /(x, s)  is  non-empty  whenever  z  <  As,  so  it  is  only  interesting 
to  ask  if  J(x,s )  is  empty  in  the  case  where  z  =  As.  This  gives  rise  to  a  definition  of  critical  sets, 
which  provide  convenient  alternative  characterizations  of  sequentiality. 

A  critical  set  of  an  indexed  domain  E  =  (D,I)  is  a  non-empty  finite  subset  s  C  E  that  has 
no  index  at  its  meet,  i.e.,  such  that  /(As,s)  =  0.  The  fundamental  properties  of  critical  sets  are 
developed  in  [BG92].  The  following  proposition  summarizes  the  most  important  results. 

Proposition  3.1 

(1)  Every  finite  set  s  with  a  least  element,  and,  in  particular,  every  singleton,  is  critical. 

(2)  A  set  p  is  sequential  open  iff  it  is  Scott  open  and  closed  under  critical  meets.  For  every 
x  e  K(E),  t  x  is  sequential  open.  Sequential  opens  have  the  To  separation  property. 

(3)  A  finite  set  s  is  critical  iff  every  sequential  open  that  contains  it  also  contains  its  meet  As. 

(4)  A  function  f  :  E  — *  E'  is  sequential  iff  it  is  continuous  and  it  preserves  criticality  and 
meets  of  critical  sets,  i.e.,  for  every  critical  set  s  of  E,  fs  =  {/x  |  z  e  3}  is  critical,  and 
f(As)  =  A  (fs). 

(5)  Every  finite  bounded  set  is  critical.  Every  sequential  open  is  stable  open.  Every  sequential 
function  is  stable. 

3.3  Product  of  indexed  domains 

It  seems  reasonable  to  assume  that  an  incremental  step  of  a  sequential  computation  in  a  product 
domain  D\  x  Dj  corresponds  to  an  increment  in  one  of  the  components,  but  not  both.  This  leads  us 
to  define  the  indexed  domain  product  of  Ei  =  (D\,Ii)  and  =  ( D2, It)  to  be  the  indexed  domain 
Ei  x  Ej  =  (£)j  x  D?,IX ),  where  D\  x  Dt  is  the  usual  domain  product,  ordered  componentwise, 
and  Ix  is  defined  by 

fx(x,y)  =  {rx(|r)|rsf,z&re/i(ly)}u 
{(T  x)  x  r  j  r  e  Ijy  &  z  e  A'd  x)}  . 

It  is  easy  to  check  that  Ix  is  an  index  function. 

Proposition  3.2  A  finite  set  3  C  £,  x  £j  is  critical  iff  both  Xj  3  and  Xj  s  ore  critical. 

An  indexed  domain  product  is,  in  fact,  a  categorical  product  in  the  category  of  indexed  domains 
and  sequential  functions  (for  any  underlying  class  of  domains  closed  under  product). 

Proposition  3.3  Indexed  domain  product  is  a  categorical  product. 
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Proof:  It  is  sufficient  and  easy  to  show  that  the  projections  tr,  :  f i  x  f ]  -  E,  are  sequential,  for 
«  =  1,2,  and  that  for  sequential  functions  /,  :  E  —  £, ,  i  =  1,2,  the  mediating  morphism 
Xx  e  E  .  U\*ihx)  is  a  sequential  function  from  E  to  £j  x  £V  ■ 

A  sequential  function  on  an  indexed  domain  product  remains  sequential  when  one  of  its  argu¬ 
ments  is  fixed. 

Proposition  3.4  For  every  sequential  function  f  :  Ei  x  £j  —  E'  and  every  x  e  Ei,  the  function 
curry  fx  =  Xy  e  Ej  .  f(x,y)  is  a  sequential  function  from  Ej  to  E' ■ 

3.4  Ordering  the  sequential  function  space 

An  adaptation  of  the  development  in  [BG92]  shows  that  arithmetic  domains  are  closed  under  the 
pointwise-ordered  sequential  function  space.  In  other  words,  if  E  and  E'  are  indexed  arithmetic 
domains  then  the  sequential  function  space  E  — < >*q  E\  equipped  with  the  pointwise  order,  is  an 
arithmetic  domain.  Property  FM  is  essential  for  this.  An  even  simpler  development  shows  that 
di-domains  are  dosed  in  the  same  sense  under  the  stably-ordered  function  space  —  this  is  an  easy 
corollary  of  the  downwards  dosure  of  sequential  functions  in  the  stably-ordered  stable  function 
space.  The  following  proposition  summarizes  these  results;  proofs  may  be  found  in  [BG92]. 

Proposition  3.5  Arithmetic  domains  are  closed  under  the  pointwise-ordered  sequential  function 
space,  regardless  of  the  index  structures  used.  Directed  lubs  and  finite  meets  are  taken  pointwise, 
and  the  isolated  elements  are  the  sequential  /unctions  that  nre  the  jwintu'ise  tubs  of  finitely  many 
step  functions. 

3.5  Application  is  not  sequential 

Function  application  app  :  ( E  — »‘q  £',  I)  x  E  -»  E'  is  not  sequential,  no  matter  which  index 
function  /  is  used,  and  whether  we  employ  the  pointwise  or  stable  orders.  This  also  establishes 
that  uncurrying  does  not  preserve  sequentiality,  since  function  application  is  the  uncurrying  of  an 
identity  function.  It  is  perhaps  not  surprising  that  uncurrying  does  not  preserve  sequentiality: 
the  uncurried  form  of  a  function  has  a  more  complicated  domain  of  definition,  where  more  subtle 
interactions  are  possible  that  would  prevent  the  uncurried  form  from  being  sequential. 

The  counter-example  relies  on  the  product  structure  and  on  the  index  domain  axioms,  and  in 
particular  on  the  criticality  of  a  set  with  a  least  element,  a  corollary  of  the  true  increment  property. 
Let  Bool  be  the  domain  of  booleans,  with  elements  X  <  T,  F.  Consider  the  application  function 
app  :  (Bool3  Bool)  x  Bool3  — ►  Bool,  and  the  sets 

s  =  {([(T,F,  X)=>  T]  V  (x=>  T],x)  |  x  e  /} 
i  =  {(T,F,  X),(1,T,F),(F,  XT)}. 

*i  s  has  least  element  [(T,  F,  X)=>  T]  in  both  the  pointwise  and  stable  orderings  on  the  function 
space,  and  xjs  =  t  is  critical,  since  its  projection  on  any  of  its  three  components  has  a  least 
element  X.  Thus  s  is  critical.  But  app(As)  =  [(T.F,  X)=>  T](X,  X,  X)  =  X  yl  T  =  A  {T}  =  A(apps)  , 
so  that  app  fails  to  preserve  a  critical  meet,  and  is  therefore  not  sequential. 

This  negative  result  implies  that  we  cannot  use  the  framework  presented  here  —  the  category 
IDOM  of  indexed  arithmetic  domains  and  sequential  functions  —  to  give  a  sequential  model  for 
all  of  PCF,  since  application  is  definable  in  PCF  (up  to  currying).  Nevertheless,  we  will  be  able  to 
give  a  sequential  model  for  an  appropriately  restricted  subset  of  PCF. 

4  Interpreting  types  as  indexed  domains 

We  look  now  at  ways  of  instantiating  the  index  structure  to  obtain  type  interpretations  in  the 
category  IDOM.  We  consider  the  simple  type  system  generated  by  the  grammar  <r  ::=  p  1  <r  — >  o', 
where  p  ranges  over  a  set  of  ground  types. 

We  assume  given  a  flat  domain  A[p]  for  each  ground  type  p.  We  need  to  choose  an  index 
function  for  each  such  A[p]  in  order  to  interpret  p  as  an  indexed  domain.  We  then  intend  to 
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interpret  an  arrow  type  a  — ►  o'  as  the  sequential  function  space  between  the  indexed  domains 
representing  a  and  o' ,  ordered  pointwise,  with  a  suitably  chosen  index  structure  on  the  function 
space.  This  raises  the  question  of  what  kind  of  index  function  is  appropriate  for  a  sequential 
function  space. 

4.1  Data  sequentiality 

At  first-order  types  like  o  —  o',  where  a  and  o'  are  ground,  the  notion  of  sequential  function 
defined  in  [BG92]  is  adequate.  This  notion  of  sequentiality,  which  we  will  call  data  sequentiality , 
coincides  with  the  Kahn-Plotkin  sequential  functions  when  a  and  a'  are  restricted  to  concrete 
domains  [KP78,  Cur86],  and  coincides  with  the  Milner  and  Vuillemin  notions  of  sequentiality  when 
the  types  are  restricted  to  products  of  flat  domains  [Mii77,  Vui73j. 

Data  sequentiality  is  characterized  in  terms  of  index  functions  as  follows.  Although  we  only 
need  to  use  the  definitions  here  when  D  is  a  flat  domain  (since  ground  types  are  flat),  it  is  easy  to 
give  a  more  general  definition  for  di-domains. 

For  a  di-domain  D  we  define  the  data-index  function  1q  at  x  s  D  by  setting 

lf,x  =  {r  €  St  D  |  x  t  r  &  Vy  e  min  r  .  (r  ff  y  =>  x  — <  x  V  y)}  . 

The  data-index  function  Ip  is  easily  seen  to  be  an  index  function  for  a  di-domain  D. 

This  definition  of  data  sequentiality  requires  atomicity  of  the  increment  represented  by  an 
index,  so  that  successive  approximations  to  an  input  will  form  a  covering  chain.  If  atomicity  is  not 
imposed,  say,  if  we  used  Iqx  =  {r  €  St  D  \  x  t  r}  then  one  could,  for  instance,  check  in  a  single 
step  whether  an  input  in  Bool3  is  in  J  {(T. F.  _L),  (1,  T. F),  (F,  _L , T)} .  This  would  clearly  not  be 
appropriate  for  computation  in  a  sequential  language. 

Data  sequentiality  interacts  nicely  with  indexed  domain  product.  By  atomicity,  progress  cannot 
be  made  simultaneously  in  different  components  of  a  product,  since  (x,y)  -<  (x\  y')  iff  either 
x  — <  x'  and  y  —  y',  or  x  =  x'  and  y  -<  y'\  this  corresponds  exactly  to  the  reasoning  behind 
the  definition  of  product.  Therefore,  the  index  function  for  the  product  of  data-indexed  domains 
coincides  with  the  data-index  function  for  the  product,  i.e., 

(Dj  x  D2,/diXDj)  =  (Dy,IADx)  x  (D2,/£3). 

In  [BG92]  we  attempted  to  use  data  sequentiality  uniformly  for  all  domains,  i.e.,  to  construct  a 
sequential  model  in  which  each  type  is  interpreted  as  a  data-indexed  domain.  This  corresponds  to 
an  operational  assumption  that  incremental  computation  over  a  function  space  proceeds  in  the  same 
way  as  incremental  computation  over  data.  This  assumption  is  reasonable  in  some  frameworks,  such 
as  concrete  domains  and  sequential  algorithms,  and  the  language  CDSO  [BC85,  Cur86).  However, 
this  operational  assumption  is  not  appropriate  for  PC'F,  where  information  about  a  functional 
argument  is  essentially  incremented  by  applying  it.  We  thus  perceive  the  need  to  employ  a  different, 
higher-order,  notion  of  sequentiality  over  the  functional  domains,  that  would  correspond  better  to 
PCF’s  operational  assumptions.  (See  [BG92]  for  further  discussion.) 

4.2  Constant-applicative  sequentiality 

In  order  to  arrive  at  a  higher-order  notion  of  sequentiality  more  closely  matching  PCF's  operational 
character,  we  analyze  the  way  in  which  information  about  functional  inputs  is  obtained  in  PCF. 
This  is  ultimately  done  by  applying  such  an  argument  as  a  PCF  variable,  say  1,  to  an  argument 
of  appropriate  type,  say,  a  term  M ,  with  the  result  of  the  application  f  Af  conveying  information 
about  the  input  represented  by  f.  Call  M  the  prompter  of  }. 

For  example,  consider  the  following  PCF  term  M0\ 

Mo  =  Af  :  Bool  — >  Bool  — >  Bool . 

if  (f  T  fi)&(f  F  T)&-.(f  F  F)  then  T  else  fl, 

where  D  is  a  divergent  constant  of  type  Bool,  and  it  is  the  PCF  term  for  the  left-strict-and  function 
written  in  infix  notation.  When  Mo  is  applied  to  a  term  M  of  type  Bool  —  Bool  -»  Bool,  M0  may 
be  seen  as  successively  increasing  its  information  about  its  input.  The  result  of  the  application  is 
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T  precisely  when  the  sequence  of  approximations  is 

1,  [(T,1)=>T],  [(T,  X)=>  T]  V  [(F, T)=>  T],  [(T.  1)=>  T]  V  [(F,T)=>  T)  V  [(F,F)=>  F] 

(up  to  currying).  Each  step  of  the  computation  corresponds  to  an  application  of  f  to  some  prompter. 
Divergence  of  any  step  would  imply  divergence  of  the  entire  computation.  The  term  Mo  uses  only 
closed  prompters:  each  application  of  1  is  to  “constant"  arguments. 

Consider  next  the  prompters  in  the  following  PCK  terms, 

Mi  =  Af  :  <r  — >  o'  .  Ax  :  <r  .  f  x, 

Afj  =  Af  :  Bool  — >  Bool  — *  Bool  . 

if  (f(f  Tfi)(fOT))A:(f  TF)A:(f  FT)A:->(f  F  F)  thenT  else  f!. 

In  the  first  case,  Mi  denotes  the  identity  function  on  the  type  o  —  o',  or,  up  to  curry¬ 
ing,  the  corresponding  application  function.  It  is  not  strict  in  the  input  x.  but  it  is  strict  in 
the  input  f.  The  prompter  x  of  f  may  be  said  to  be  input-dejiendent.  in  that  it  involves  an 
input  other  than  f.  In  the  second  case.  M?  denotes  the  least  functional  that  maps  the  left- 
strict-or  function  lor  =  [(T,  X)=^  T]  V  ((F,T)=s>  T]  V  [(F.  F)=>  F]  and  the  right-strict-or  function  ror  = 
[(.L,T)=»T]  V  [(T,  F)=>  T]  V  [(F,  F)^  F]  to  T.  It  is  defined  using  imbrication  [BCL85,  p.  129]:  the 
prompter  f  Tfl  may  be  said  to  be  self-dependent ,  since  it  uses  the  input  f  about  which  information 
is  being  sought. 

We  are  not  yet  able  to  give  a  satisfactory  treatment  of  dependent  prompters.  Instead,  in  this 
paper  we  make  the  simplifying  assumption  that  prompters  must  be  constant,  i.e.,  independent 
of  the  input.  On  the  syntactic  side,  we  will  impose  a  restriction  on  the  use  of  application  so 
that  we  need  only  consider  PCF  terms  using  closed  prompters.  The  terms  Mi  and  are  thus 
excluded  from  consideration.  On  the  semantic  side,  we  assume  that  a  computation  of  a  value  / 
over  a  function  space  E  — *q  E'  proceeds  at  each  step  by  determining  the  result  of  applying  /  to  a 
constant  element  in  E.  This  gives  rise  to  the  notion  of  constant-applicative  sequentiality. 

Corresponding  to  a  value  x  e  I\(E)  and  a  “residual”  index  r'  in  E',  we  define  a  ca-index  [x=>r'J 
in  the  pointwise-ordered  sequential  function  space  E  — “*  E'  between  E  and  E'  to  be  the  stable 
open 

[x=*r']  =  T  {[*=>»]  |  y  €  A'(r')}  =  1  {[x=>y]  |  y  e  minr'} 
of  E  -**q  E'\  and  we  define  the  ca-index  function  /f;*£.  on  E  — ,q  E'  by: 

If,E'f  =  {[*=>r']|*€  A-(£)&r' €/'(/*)}. 

It  is  easy  to  check  that  /|?E,  is  an  index  function  for  E  — tq  E'.  From  this  point  on,  we  will  assume 
that  the  sequential  function  space  is  equipped  with  the  ca-index  function;  the  following  results 
depend  on  this  choice. 

Proposition  4.1  A  finite  set  s  C  E  ■— ,q  E'  is  critical  iff  for  all  x  e  A  (  E),  sx  =  { fx  |  /  €  s}  is 
critical. 

Proposition  4.2  Currying  preserves  sequentiality,  i.e.,  if  f  :  Etx  Ej  -*  E'  is  a  sequential  function 
then  curry  /  :  Ei  — *  (Ei  — **q  E')  is  a  sequential  function. 

Application  of  a  fixed  sequential  function  /  e  E  ->*q  E',  i.e.,  the  function  Xz  e  E  .  fz,  coincides 
with  /  and  is  therefore  sequential.  More  importantly,  application  to  a  fixed  argument  is  sequential. 

Proposition  4.3  For  every  z  e  E,  the  function  \f  6  E  — •5q  E' .  fz  is  sequential. 

Proof:  If  s  is  a  critical  set  of  E  ->*q  E'  then  sx  is  critical,  and  A  (sx)  =  (As)x.  ■ 

4.3  Maximal  uncurrying 

As  we  have  indicated,  the  meaning  |<7  — *  <r'J  of  an  arrow  type  in  the  model  will  essentially  be  taken 
to  be  the  sequential  function  space  between  [o]  and  [o'],  A  further  refinement  is  still  needed.  Type 
interpretations  are  usually  defined  in  ccc’s,  where  there  is  an  isomorphism 
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[*il  -  (Ml  -  M) »  d^il  x  I»»l)  -  b'l 

via  currying  and  uncurrying.  In  that  case,  it  doesn't  really  matter  which  of  the  two  is  taken  to 
define  fcri  — *  (<tj  — » <r')J.  This  is  not  so  in  our  case,  since  uncurrying  does  not  preserve  sequentiality. 

The  question  now  arises  whether  a  function  that  is  sequential  in  its  curried  form,  but  not  in 
it,  uncurried  form,  should  be  included  in  the  sequential  model.  For  example  consider  the  parallel- 
or  function,  por  =  [(T,  X)=>  Tj  V  [(X,T)=>  T]  V  [( F.  F)=*  Fj.  Its  curried  form,  currypor  :  Bool  — 
(Bool  — * •  Bool),  is  sequential  because  of  the  trivial  index  structure  of  Bool.  However,  por  itself,  of 
type  Bool  x  Bool  — ►  Bool,  is  not  sequential:  por-1  {T}  =  |  {(T.  J.).(  J..T)}  is  not  sequential  open. 
Moreover,  parallel-or  is  not  definable  in  PCF,  and  it  is  therefore  desirable  to  exclude  it  from  any 
sequential  model.  Thus,  we  will  regard  as  "truly"  sequential  only  those  functions  whose  maximally 
uncurried  form  is  sequential.  To  build  a  model  including  only  such  functions  we  will  interpret  arrow 
types  in  their  maximally  uncurried  form. 

4.4  The  sequential  type  interpretation 

We  now  define  the  sequential  type  interpretation  C[-J,  mapping  each  type  a  to  an  indexed  domain 

CM 

•  For  a  ground  type  p,  C\p\  is  the  flat  domain  equipped  with  the  standard  data-index 

structure. 

•  Each  arrow  type  a  can  be  written  uniquely  in  the  form  —  •  ••  —  a„  —  p.  where  n  >  1  and 
p  is  ground.  We  define  C[rr]  to  be  the  sequential  function  space  C[<7i)  x  •  •  •  x  C[ct„J  — C[/>], 
ordered  pointwise,  with  the  standard  constant-applicative  index  structure. 

We  assume  that  we  have  at  least  ground  types  Bool  and  Nat,  corresponding  to  the  the  usual  flat 
domains  of  truth  values  and  natural  numbers  respectively. 

5  A  sub-language  of  PCF 

5.1  The  ca-PCF  typing  system  and  semantics 

Raw  (untyped)  terms  are  built  from  a  given  set  of  constants,  identifiers,  application  and  abstraction 
in  the  usual  way,  as  in  PCF.  We  define  axioms  and  inference  rules  for  judgements  of  the  form 
T  h  M  :  a,  to  be  read  as:  the  term  M  has  type  a  in  type  context  F.  A  type  context  is  a  finite 
ordered  list  of  identifier-type  pairs,  and  we  write  T,  v  :  a  for  the  type  context  obtained  by  extending 
T  with  the  binding  u  :  a.  Identifiers  may  occur  more  than  once  in  a  type  environment,  and  the 
rightmost  occurrence  always  takes  precedence.  The  essential  restriction  imposed  by  our  typing 
system  is  that  a  variable  of  functional  type  may  only  be  applied  to  closed  terms.  This  captures 
the  simplifying  assumption  that  prompters  cannot  depend  on  the  input.  For  convenience  we  also 
require  that  a  variable  of  functional  type  be  applied  successively  to  as  many  arguments  as  needed 
to  obtain  a  result  of  ground  type;  this  restriction  is  less  important. 

The  terms  of  ca-PCF  are  those  terms  M  for  which  a  judgement  F  h  Af  :  a  is  derivable.  We 
use  L  to  range  over  terms,  and  K  to  range  over  closed  terms.  A  term  K  is  closed  iff  it  has  no  free 
identifiers;  equivalently,  if  1-  K  :  a  is  derivable  for  some  <r. 

We  define  a  semantic  function  C[-J  for  judgements  r  I -  M  :  a  by  induction  on  the  proof  of  the 
judgement.  Throughout  we  assume  that  F  has  form  tj  :  -,i,...,rm  :  7m  and  that  a  is  written  in 
the  form  <rs  on  — *  p,  where  p  is  ground.  The  meaning  of  T  t-  M  -.a  will  be 

C[ri-M  :<7]  €  C[7t  - - 7m  -  *] 

=  C[7i]  X  •  •  •  x  C[7m]  x  C[tti]  x  •  -  •  x  C[o„]  — *0  C\p\. 

Note  that  the  environment  is  “blended  into"  the  semantic  domains;  this  is  necessary,  since  all 
functions  in  the  model,  including  the  meanings  of  terms,  are  to  be  fully  uncurried. 

We  assume  a  semantic  function  A[~]  for  constants  such  that  A(cJ  €  A[o]  for  each  constant  c 
of  type  <r.  As  in  PCF  we  assume  at  least  the  following  constants  with  their  usual  interpretations. 
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where  <7o  =  — >  ■  •  —  <r£°  ~ '  Po  al>d 

/  =  A(ii  €C(7i],...,xm  et’Iim])  . 

A(Xl  €  C[(7q],  •  -  -  i  ^no  €  C[ff0°])  •  b  [T  f*0  •  tToJ(Xi  •  ■  •  ■ » I«n  *1 » ■  •  •  i  *no  )• 


•  Abstraction: 


T,  r  :  a  I-  L  :  o' 

- abs 

r  \r  (Ac  :  a  .  L)  :  a  —  o' 

C(r  (At’  :  o  .  L)  :  o  —  tr']  =  C(I\r  :  a  h  L  :  <r'J 

Proposition  5.1  Every  term  has  a  vnigue  type:  if  T  h  L  :  a  and  V  h  L  :  o'  are  both  derivable 
then  o  =  o' . 

The  semantic  function  C[ — ]  is  well-defined,  and  for  every  derivable  judgement  T  h  L  :  o. 

C[r  i-  L  :  <rj  €  C[7i - 7m  -  o], 

where  T  =  »i  :  71,...,t-m  :  jm. 

5.2  Definability  of  isolated  elements 

The  link  between  the  syntactic  restrictions  of  ca-PCF  and  the  semantic  assumptions  of  the  sequen¬ 
tial  model  is  formulated  as  a  full  abstraction  result. 

Proposition  5.2  For  every  type  a  and  each  isolated  x  e  C[o]  there  exists  a  closed  term  Defx  such 
that  C[l-  Defx  '■  o]  -  z. 

Moreover,  for  every  ground  type  p' ,  k  >  0  and  each  finite  sequence  X  =  Xi,...,x*  of  isolated 
elements  of  C[o],  if  f  X  is  an  index  at  x  then  there  is  a  closed  term  Sel.v  such  that 

C[l-  Selx  :  o  -*  (/)*  -*  p'\  = 

A (xeC[tr],y,  eClp'],...,y*  eC[p1) .  (V> {[xi=>y,]  |  i  <  k})z. 

We  call  such  a  term  a  selector  for  X. 

Proof:  By  type  induction  on  o. 

If  o  is  a  ground  type  we  have  already  assumed  the  existence  of  the  relevant  defining  constants. 
We  can  choose  for  Selj.F  t  Bool  — >  p'  —  p'  —  p'  the  constant  if'’  .  For  otlier  selectors  over 
Bool  use  the  obvious  variations. 

For  Selx :  Mat  — *  (p')k  — ►  p'  take 

Sel*,  =  Az  :  Mat  .  Ay x  :  p' .  . . .  Ay*  :  p' . 

if  z  =  0  then  Mo  else 
if  z  =  1  then  Mi  else 

if  z  =  k'  then  My  else 

n 

where  k'  =  max{xi,..  .,!*},  and  for  0  <  j  <  k',  z  =  j  is  short  for  (=0)((-l)-’  z),  and  My  =  y; 
if  there  exists  i  such  that  j  =  x;,  and  My  =  fl  otherwise1. 

For  other  ground  types  we  need  to  assume  the  existence  of  appropriately  interpreted  constants 
to  aJrw  a  similar  definition  of  selector  terms. 


'This  term  tests  z  against  the  values  0, ....  k'  in  increasing  order,  to  avoid  attempting  to  subtract  1  from  0. 
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If  a  is  not  ground,  assume  that  a  =  o\  —  ■ . .  —  on  —  p,  and  let  /  be  an  isolated  sequential 
function  in  £(<r].  Since  /  is  isolated,  it  is  the  tub  of  a  finite  set  of  step  functions.  Choose  a 
minimal  set  F  of  step  functions  such  that  }  =  \J  F,  say  F  =  {[i,=>y,]  |  i  <  I),  where  each 
ii  =  (x},.. . ,  r").  By  minimality  of  l,  none  of  the  y,'s  is  X.  Continue  now  by  induction  on  l. 

If  I  =  0  then  /  =  X,  so  we  can  let  Def  /  =  ft®  =  Avj  :  Oj  .  .. .  Av„  :  an  .  fi‘>. 

If  /  =  1  then  /  =  ((*!,.  •  •  )=>yi].  By  the  induction  hypothesis  there  are  closed  terms  Def„, 

and  selectors  Sel  .  for  each  j.  We  can  take 
*5 

Def/  =  A»i  :  <r, - Av„  :  an  .  Selri  »i(. . . (Sel,«  vn(Defv, ))...). 

If  l  >  1,  let  s  =  { *,•  |  i  <  I}.  Clearly,  fs  =  f~l(C{p]  \  {-!-})•  By  minimality  of  F,  s  has  no 
least  element,  or  else  /  would  be  a  single  step  function,  given  that  C[p]  is  a  flat  domain. 
Therefore  As  t  T  s.  By  sequentiality  of  /,  t  s  is  sequential  open,  so  that  s  is  not  critical.  It 
has  an  index  at  As  in  the  product  C[o\]  x  x  C[<r„),  which  is  derived  from  an  index  in 
one  of  the  components;  assume  without  loss  of  generality  that  it  is  derived  from  an  index 
in  the  m’th  component,  so  that  there  is  an  r  6  /(A(xm  s),irm  s).  If  we  take  a  minimal  r 
(with  respect  to  number  of  lobes)  it  will  have  at  most  1  lobes,  by  minimality,  but  at  least  2 
lobes,  since  As  (  r  =  f(minr),  using  definiteness.  Let  l'  be  the  number  of  lobes  of  r,  so  that 
r  =  |  {zj  |  j  <  l'}.  This  now  lets  us  split  F  into  corresponding  collections  of  step  functions, 
each  with  less  than  l  elements,  that  may  be  distinguished  on  the  basis  of  r.  More  formally, 
for  j  <  l',  let  fj  =  V  f),  where  F}  =  {(i,=>y,]  |  i  <  l  &  */  <  *”}.  Since  each  fj  is  the  lub  of 
less  than  l  step  functions,  it  is  definable,  by  the  induction  hypothesis.  We  are  now  able  to 
define  /: 

Def/  =  Av,  :  - Av„  :  <rn  .  Sel,,.....-,,  vm(Def/,  v,  . . .  v„) . . .  (Def/,,  Vi  ...v„). 

We  now  show  definability  of  Sel/, . /*  in  the  functional  case.  If  )  {/,  |  «  <  k)  is  an  index  at 

5  in  C[<r]  then  there  must  exist  i0  =  (Xq,  ....  Zq)  such  that  /,  =  [i0=>y.],  and  {y,  |  i  <  k } 
is  an  index  at  fx0  in  C{p].  We  are  therefore  able  to  transform  the  selection  problem  in  the 
function  space  into  a  selection  problem  in  the  ground  case,  which  has  already  been  solved. 
We  thus  obtain: 

Sel/, . jk  =  Af  :  a  .  Avj  :  p' . .. .  Av*  :  p' . 

Sel„, . Vk  (f  Def xi , . . . ,  Defxj  )v,  ...wk. 

Note  that  1  is  applied  to  closed  arguments,  so  this  is  a  valid  term.  • 

The  essential  difference  between  this  definability  proof  and  Plotkin’s  proof  for  the  parallel 
extension  of  PCF  [Plo77,  lemma  4.5]  is  in  the  synthesis  of  the  defining  term  for  arrow  type  with 
/  >  1,  in  the  above  terminology.  Plotkin’s  proof  uses  the  parallel  conditional  facility  to  combine  a 
defining  term  for  the  lub  of  l  step  functions  with  an  additional  step  function  to  obtain  a  defining 
term  for  the  lub  of  /  +  1  step  functions;  we  rely  instead  on  the  existence  of  an  index  that  partitions 
the  set  of  step  functions  into  smaller  sets. 

Full  abstraction  —  both  inequational  and  equational  —  follows  by  standard  arguments  from 
the  definability  of  all  isolated  elements  [Mil77,  StoSS]. 

Proposition  5.3  The  semantics  C[-J  is  ineqvationally  fully  abstract  with  respect  to  itself  as  a 
notion  of  program  behavior.  That  is,  for  any  pair  of  derivable  judgements  V  L  :  o  and  r  h  V  xo, 

C[r  I-  i  :  or]  <  Cir  I -  L':o] 

iff,  for  every  appropriate2 program  context  P\~]  of  type  p, 

ClbP[L]  :p]<Cl\-  P[L')  -.p]. 


2Since  we  do  not  associate  fixed  types  with  variables  we  must  assign  to  holes  in  program  contexts  a  type  context 
T  which  they  provide,  as  well  as  the  type  of  the  term  that  they  expect  in  the  hole. 
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To  link  up  this  result  with  the  standard  notion  of  behavior  for  PCF  programs,  we  verify  that 
C(-J  agrees  with  the  usual  operational  semantics  for  PCF,  as  presented  in  [Plo77]. 


Proposition  S.4  The  program  behaviors  induced  by  the  semantics  C[— }  and  the  operational  se¬ 
mantics  coincide.  That  is,  for  every  closed  term  P  of  ground  type  p,  C[l-  P  :  p)  =  x  ^  X  iff  P 
evaluates  to  (the  constant  denoting)  x,  and  P  :  p]  —  L  iff  the  evaluation  of  P  diverges. 

In  summary,  the  semantics  C[~]  is  fully  abstract  for  ca-PCF  with  respect  to  the  usual  notion 
of  program  behavior. 

S.3  Recursive  definitions 

Since  the  ftxpoint  operator  is  continuous  but  not  sequential  in  our  framework,  we  cannot  simply 
add  the  usual  fixpoint  constants  Y  to  the  language  ca-PCF.  Nevertheless,  any  particular  sequential 
function  on  an  arithmetic  domain  D  has  a  least  fixed  point  in  D.  We  may  therefore  add  p- 
abstraction  to  ca-PCF:  for  each  ca-PCF  term  Af  of  type  r  —  r  the  term  pt  :  a  .  Mt  of  type  r  is 
equivalent  to  Y M.  To  permit  non-trivial  uses  of  recursion,  such  as 

(x2)  =  pt  :  Hat  -*  Mat  .  Ax  :  Hat  .  if  x  =  OthenO  else(f  (x  -  1)  +  2), 

in  which  the  recursively  defined  variable  f  has  an  input-dependent  prompter  x  -  1,  we  then  need 
to  relax  the  term-forming  syntactic  constraints  of  ca-PCF  to  allow  /i-bound  variables  to  be  applied 
to  input  arguments  inside  the  body  hi.  The  meaning  of  every  term  is  in  the  right  semantic  domain 
when  supplied  with  appropriate  values  for  its  free  fi- bound  variables. 

6  Conclusion 

We  have  introduced  a  notion  of  indexed  domain  and  shown  that  it  permits  a  general  definition 
of  sequential  function  enjoying  certain  domain-theoretic  properties.  In  particular,  we  obtain  a 
class  of  indexed  domains  containing  the  flat  domains,  closed  under  product,  and  closed  under 
the  pointwise-ordered  sequential  function  space.  We  have  shown  that  a  particular  kind  of  index 
structure  on  function  spaces  gives  rise  to  a  fully  abstract  semantics  for  a  non-trivial  sub-language 
of  PCF.  Nevertheless,  unrestricted  application  is  not  a  sequential  function  in  our  model,  and  it 
remains  to  be  seen  if  we  can  find  a  yet  more  sophisticated  notion  of  index  structure  that  would  cope 
satisfactorily  with  full  PCF.  This  would  have  to  deal  with  the  complications  caused  by  imbrication 
and  what  we  have  called  input-  or  self-dependent  prompters.  The  generalized  indices  should,  like 
the  indices  presented  here,  have  a  firm  operational  grounding,  and  they  should  carry  information 
that  can  be  used  for  showing  definability  of  the  sequential  functions  in  the  generalized  framework. 

There  are  interesting  connections  and  significant  differences  with  the  work  of  Bucciarelli  and 
Ehrhard  [BE91].  The  critical  sets  of  an  indexed  domain  always  form  a  coherence  structure  in 
the  sense  of  Bucciarelli  and  Ehrhard  (and  the  sequential  functions  in  our  model  correspond  to 
their  strongly  stable  functions).  The  converse  is  not  true,  because  our  requirements  on  index 
structures  are  stronger,  so  as  to  build  in  the  ability  to  model  incremental  computation.  Buccia¬ 
relli  and  Ehrhard  also  use  data  sequentiality  at  ground  types,  and  essentially  the  same  product. 
They  obtained  a  cartesian  closed  category  of  strongly  stable  functions  between  qualitative  domains 
equipped  with  coherence  structure,  using  the  stable  ordering  on  function  spaces;  in  particular,  in 
their  model  application  is  sequential  with  respect  to  the  stable  ordering.  However,  the  coherence 
structures  that  they  use  on  function  types  do  not  correspond  to  index  structures,  and  apparently  do 
not  convey  enough  operational  information  to  model  incremental  sequential  computation.  More¬ 
over,  the  pointwise  ordering  is  of  primary  relevance  for  the  PCF  full  abstraction  problem,  since 
it  corresponds  to  the  operational  pre-order  on  terms  of  function  type,  and  therefore  we  are  more 
concerned  to  find  a  notion  of  sequential  function  space  using  the  pointwise  order. 

References 

[BC82]  G.  Berry  and  P.-L.  Curien.  Sequential  algorithms  on  concrete  data  structures.  Theo¬ 
retical  Computer  Science,  20:265-321, 1982. 


332 


[BC85]  G.  Berry  and  P.-L.  Curien.  Theory  and  practice  of  sequential  algorithms:  the  kernel 
of  the  applicative  language  CDSO.  In  hi.  Nivat  and  J.  C.  Reynolds,  editors.  Algebraic 
Methods  in  Semantics,  chapter  2,  pages  35-87.  Cambridge  University  Press,  1985. 

[BCL85]  G.  Berry,  P.-L.  Curien,  and  J.-J.  Levy.  Full  abstraction  for  sequential  languages:  the 
state  of  the  art.  In  M.  Nivat  and  J.  C.  Reynolds,  editors.  Algebraic  Methods  in  Seman¬ 
tics,  chapter  3,  pages  89-132.  Cambridge  University  Press,  1985. 

[BE91]  A.  Bucciarelli  and  T.  Ehrhard.  Sequentiality  and  strong  stability.  In  Proc.  Sixth  Annual 
IEEE  Symposium  on  Logic  in  Computer  Science.  IEEE  Computer  Society  Press,  July 

1991. 

[Ber78]  G.  Berry.  Stable  models  of  typed  A-calcuJi.  In  Proc.  o11'  Coll,  on  Automata,  Languages 
and  Programming,  number  62  in  Lecture  Notes  in  Computer  Science,  pages  72-89. 
Springer- Verlag,  July  1978. 

[BG92]  S.  Brookes  and  S.  Geva.  Stable  and  sequential  functions  on  Scott  domains.  Technical 
Report  CMU-CS-92-121,  School  of  Computer  Science,  Carnegie  Mellon  University,  June 

1992. 

[CF92]  R.  Cartwright  and  M.  Felleisen.  Observable  sequentiality  and  full  abstraction.  In 
Nineteenth  Annual  ACM  Symposium  on  Principles  oj  Programming  Languages,  pages 
328-342.  ACM  Press,  January  1992. 

[Cur86]  P.-L.  Curien.  Categorical  Combinators,  Sequential  Algorithms  and  Functional  Program¬ 

ming.  Research  Notes  in  Theoretical  Computer  Science.  Pitman,  1986.  Second  edition, 
expanded  and  updated,  published  by  Birkhauser.  Boston.  1993. 

[Cur92]  P.-L.  Curien.  Observable  algorithms  on  concrete  data  structures.  In  Seventh  Annual 

IEEE  Symposium  on  Logic  in  Computer  Science,  pages  432-443.  IEEE  Computer  So¬ 
ciety  Press,  June  1992. 

[GHK+80]  G.  Gierz,  K.H.  Hofmann,  K.  Keimel.  J.D.  Lawson,  M.  Mislove,  and  D.S.  Scott.  A 
Compendium  of  Continuous  Lattices.  Springer  Verlag.  1980. 

[KP78]  G.  Kahn  and  G.  D.  Plotkin.  Domaines  concrets.  Rapport  336,  IRIA-LABORIA,  1978. 

English  translation  (with  historical  introduction  by  S.  Brookes)  to  appear  in  Theoretical 
Computer  Science,  1993. 

[Mil77]  R.  Milner.  Fully  abstract  models  of  typed  lambda-calculi.  Theoretical  Computer  Sci¬ 
ence,  4:1-22,  1977. 

[Mul87]  K.  Mulmuley.  Full  Abstraction  and  Semantic  Equivalence.  MIT  Press,  1987. 

[Plo77]  G.  D.  Plotkin.  LCF  considered  as  a  programming  language.  Theoretical  Computer 
Science,  5(3):223-255,  1977. 

[Saz75]  V.  Yu.  Sazonov,  Sequentially  and  parallelly  computable  functionals.  In  Proc.  Symp. 

on  Lambda-Calculus  and  Computer  Science  Theory,  number  37  in  Lecture  Notes  in 
Computer  Science.  Springer- Verlag,  1975. 

[Sto88]  A.  Stoughton.  Fully  Abstract  Models  of  Programming  Languages.  Research  Notes  in 
Theoretical  Computer  Science.  Pitman,  1988. 

[Vui73]  J.  Vuillemin.  Proof  techniques  for  recursive  programs.  PhD  thesis,  Stanford  University, 
1973. 

[Zha91]  G.  Q.  Zhang.  Logic  of  Domains.  Progress  in  Theoretical  Computer  Science.  Birkhauser, 
Boston,  1991. 


Another  approach  to  sequentiality:  Kleene’s 
unimonotone  functions 

Antonio  Bucciarelli 

LIENS-DMI,  Ecole  Normale  Superieure,  45  rue  d’Ulm,  Paris,  France 

buccia@dmi.ens.fr 


Abstract 

We  show  that  Kleene’s  theory  of  unimonotone  functions  strictly  re¬ 
lates  to  the  theory  of  sequentiality  originated  by  the  full  abstraction 
problem  for  PCF.  Unimonotone  functions  are  defined  via  a  class  of  ora¬ 
cles,  which  turn  out  to  be  alternative  descriptions  of  a  subclass  of  Berry- 
Curien’s  sequential  algorithms. 


1  Introduction 

In  the  late  seventies,  in  order  to  define  models  of  (simply  typed)  functional 
programming  languages  which  were  closer  than  Scott  models  to  the  opera¬ 
tional  semantics  of  such  languages,  the  notions  of  sequentiality  ([6,  4])  and 
stability  ([1])  were  introduced  and  studied.  These  works  originated  from  the 
problem  of  full  abstraction ,  raised  in  [12],  which  can  be  formulated  as  follows: 
find  a  model  of  PCF  (a  simply  typed  A-calculus  with  recursion,  taken  in  this 
framework  as  paradigm  of  functional  languages)  in  which  any  (finite)  element 
is  the  denotation  of  some  term.  Clearly  this  (still  open)  problem  is  strictly 
related  to  the  characterization  of  the  expressivity  of  PCF  at  higer  types. 

Quite  in  the  same  period  S.  C.  Kleene,  revisiting  some  of  his  earlier  works 
on  generalized  recursion  theory,  attacked  the  problem  of  “generating  a  class  of 
functions  which  shall  coincide  with  all  the  partial  functions  which  are  “com¬ 
putable”  or  “effectively  decidable”,  so  that  Church’s  1936  thesis  will  apply 
with  the  higer  types  included”  ([8]  1.2).  His  starting  point  was  the  definition 
of  a  list  of  schemata  for  the  definition  of  partial  recursive  functionals.  Compu¬ 
tations  in  this  framework  are  represented  by  trees:  an  expression  E  is  defined 
(under  a  given  assignment  of  values  to  free  variables)  if  and  only  if  the  prin¬ 
cipal  branch  of  the  computation  tree  rooted  in  E  ends  with  a  value  (a  natural 
number). 

This  operational  semantics  allowed  one  to  recover  at  higher  types  most  of 
the  basic  results  of  classical  recursion  theory  (enumeration  theorem,  substitu¬ 
tion  principle,  recursion  theorems)  (see  [8,  7]).  The  next  point  of  Kleene’s  pro¬ 
gram  ([9,  10])  consisted  of  providing  a  denotational  semantics  for  his  “type-j 
objects”,  i.  e.  in  characterizing  the  class  of  functions  and  functionals  definable 
by  the  schemata. 
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Thus  Kleene  and  people  interested  in  the  problem  of  full  abstraction  f^ 
PCF  began  to  work,  independently,  on  two  very  related  subjects:  the  defin¬ 
ability  problem  for  calculi  based  on  recursive  equations  and  A-calculus. 

People  working  on  PCF  aimed  to  define  models  of  the  full  calculus  by 
means  of  cartesian  closed  categories  of  domains  and  “sequential”  morphisms, 
whereas  Kleene  focused  his  attention  on  finite  types  up  to  type  three  in  a 
hierarchy  starting  from  natural  numbers  (type  0). 

As  for  the  first  approach,  the  notion  of  sequential  function  between  concrete 
data  structures  ([6])  provided  a  complete  characterization  of  PCF-definability 
at  first  order,  but  failed  to  give  rise  to  cartesian  closed  categories.  This  notion 
suggested  two  main  developments.  The  first  one  consisted  in  weakening  se¬ 
quentiality  in  a  property  extendable  to  higher  orders,  and  this  is  what  G.  Berry 
[1]  did  introducing  stable  semantics.  The  second  one,  carried  out  by  Berry  and 
P.-  L.  Curien  (see  [2])  was  to  stick  firmly  to  the  notion  of  sequentiality,  but 
the  price  to  pay  was  the  impossibility  of  keeping  functions  as  morphisms;  they 
were  obliged  to  switch  to  sequential  algorithms. 

Kleene’s  approach  to  the  problem  of  definability  is  based  on  the  notion 
of  unimonotone  functions.  The  interesting  fact  is  that  the  two  clauses  of 
the  definition  of  unimonotonicity  correspond  to  stability  and  sequentiality 
respectively.1 

We  establish  the  bridge  between  the  theories  of  sequential  algorithms  and 
unimonotone  functions.  We  want  to  stress  that  these  theories  are  based  on  the 
same  idea  of  computability  at  higher  types,  by  showing  that  any  unimonotone 
function  is  computed  by  some  sequential  algorithm.  The  converse  does  not 
hold,  essentially  because  in  order  to  get  cartesian  closedness,  it  is  necessary  to 
take  into  account  sequential  algorithms  which  do  not  compute  any  (monotone) 
function. 

This  is  actually  the  main  difference  between  the  two  approaches  to  the 
definability  problem:  in  the  Berry-Curien’s  model  algorithms  are  first  class 
objects,  whereas  Kleene  uses  algorithms  (that  he  calls  oracles)  only  to  de¬ 
fine  the  notion  of  unimonotonicity.  The  objects  of  his  model  are  functions, 
obtained  by  an  extensional  quotient  on  oracles. 

The  same  kind  of  quotient  is  used  by  Curien  in  [5,  4]  to  build  the  model 
of  extensional  algorithms.  Hence  Kleene’s  construction  may  be  regarded  (“a 
posteriori”)  as  an  attempt  of  collapsing  in  a  single  step  the  Berry-Curien’s 
construction: 

sequential  functions  — ►  sequential  algorithms  — ♦  extensional  algorithms 

In  this  paper  we  do  not  tell  the  whole  story,  contenting  ourselves  with 
studying  the  relation  between  oracles  and  sequential  algorithms.  We  show 
that  oracles  may  be  simulated  by  algorithms  at  any  type  and  we  give  a  simple 
full  abstraction  result  of  unimonotone  functions  at  type  2. 


1 A  puzzling  point  is  that  unimonotone  functions  are  not  required  to  be  Scott-continuous. 
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In  example  9  we  show  how  the  nesting  of  function  calls  in  PCF  (and  in 
Kleene’s  schemata)  makes  the  use  of  intensional  descriptions  of  computations 
necessary  to  approach  the  problem  of  higher-order  definability. 

2  Concrete  Data  Structures  (CDSs)  and  sequential 
algorithms 

We  first  recall  the  basic  definitions  of  CDSs  as  they  can  be  found  in  [4]. 

f  Definition  1  A  CDS  M  =  {Cm,  Vm,  Em,^~m)  is  given  by  three  sets  Cm,  Vm 

and  Em  of  cells,  values  and  events  such  that 

Em  C  Cm  x  Vm  and  Vc  €  CM  €  VM  ( c,v )  €  EM 

and  a  relation  i~M ,  called  an  accessibility  relation  between  finite  parts  of  EM 
and  elements  of  Cm-  A  set  {e  . . . ,en}  is  an  enabling  of  c  if  {ex, . .  .,e„}  I ~m  c. 
i  Cm  ond  VM  are  assumed  countable. 

We  will  omitt  the  subscript  M  whenever  possible.  Given  a  CDS  M,  a  state  of 
M  is  subset  x  of  EM  which  is  conflict-free  (any  cell  is  filled  with  at  most  one 
*  value)  and  safe  (any  filled  cell  is  enabled): 

Definition  2  A  state  of  M  is  a  subset  x  of  Em  such  that 

r  1)  (c,  v^,  (c,  v2)  €  x  =>  Vi  =  v2 

2)  If  (c,v)  €  x,  then  there  exists  a  sequence  of  events  e0,...,e„  =  (c,  v) 
such  that  e,  =  (c,-,v,-)  €  x  and  {ej  |  j  <  i}  contains  an  enabling  of  Cj  for 
all  i  <  n. 

The  set  of  states  of  a  CDS  M  ordered  by  inclusion  is  a  partially  ordered 
set  denoted  by  D{M). 

L  We  define  now  the  CDS’s  whose  associated  domains  are  (isomorphic  to)  the 

two  points  Siepinsky  space  (J_  <  T)  and  the  flat  domain  of  boolean  values 

respectively. 

example  1: 

o  =  ({*},  {r},{(*,r)},0 1- *) 


l 


D{0)  = 


t 


y 

t 


f 


336 


example  2: 


B  =  ({*}>  {true,  false},  {(*,  true),  (*,/a/se)},0  h  *) 


Last  we  give  useful  notations: 

Definition  3  Let  x  €  D(M)  for  a  CDS  M.  A  cell  c  is 

•  filled  in  x  iff  (c,v)  €  x  (F(x)  will  denote  the  set  of  filled  cells) 

•  enabled  in  x  iff  x  contains  an  enabling  of  c  (E{x)  will  denote  the  set  of 
enabled  cells ) 

•  accessible  from  x  iff  it  is  enabled  but  not  filled  in  x.  (A(x)  will  denote 
the  set  of  accessible  cells) 

In  both  the  examples  above  the  cell  *  is  accessible  from  the  empty  state.  Cells 
having  this  property  are  called  initials. 

Definition  4  If  M ,  M'  are  CDSs,  the  CDS  of  sequential  algorithms  from  M 
to  M'  is  noted  [ M  —*  M']  and  defined  by 

C[m^m<]  =  D(M) o  x  Cm' 
where  D(M)0  denotes  the  finite  states  of  M. 

t'V—Af']  =  {valof  c  |  c  €  Cm}  ^{output  v'  \  v'  6  VM'} 

E[M-m>]  =  {((x, c'), valof  c)  j  c  €  A(x)}\J{((x,c'), output  v')  |  (c',u')  e  EM< } 

((z,  c'),  valof  c)  I-  ( y ,  c')  if  3v  €  VM  y  =  x  U  (c,  u) 

((*1» ci)» output  «; ), ((z2, c'), output  v' ), . . . , ((x„, c'J, output  v'n)  ( X , c') 
if*  =  Ui<i<n  Xi  ond  (c'l,  u'i), . v'n)  I-  c' 
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Given  a  sequential  algorithm  a  €  [M  — »  M'],  the  function  /*  :  D(M)  — » 
D(M')  associated  to  a  is  defined  by  fa(x)  =  {(c7,  t>')  |  3y  <  x  ((y,  c7),  output  v')  e 
a}  (actually  fa  is  well  defined  only  if  M,  M'  are  stable  CDS’s  (see  [4]);  this 
will  be  always  the  case  in  what  follows). 

3  Unimonotone  functions  and  Oracles 

Let  us  begin  by  defining  the  types  we  are  interested  in:  type  0  is  the  flat  domain 
of  natural  numbers,  and,  for  i  <  2,  type  i  +  1  is  the  set  of  unimonotone  partial 
functions  from  type  t  to  type  0,  ordered  extensionally  (i.e.  /  <  g  if  for  all  x 
f(x)  —  n  -*  g(x)  =  n).  Unimonotone  means  MONOTONE  with  a  UNique 
and  Intrinsically  determined  basis. 

Kleene  gives  the  definition  of  unimonotone  function  in  two  steps:  the  first 
one  (uniqueness  of  the  basis)  consists  in  requiring  that,  if  /(x)  is  defined,  and 
hence  f(x)  =  n  for  some  n  €  w,  then  there  exists  x'  <  x  such  that  f(x')  =  n 
and  for  any  x"  <  x,  if  /(x")  =  n  then  x'  <  x".  Such  x'  is  called  the  basis  for  x 
with  respect  to  /.  The  Scott-continuous  functions  /  of  type  i  such  that  for  any 
x  €  t  —  1,  if  /(x)  is  defined  then  there  exists  a  basis  for  x  with  respect  to  /  are 
exactly  the  stable  functions.  However  in  this  framework  Scott  continuity  is  not 
required.  The  second  step  of  the  definition  consists  in  requiring  that  the  basis 
for  x  with  respect  to  /,  when  x  ranges  in  the  domain  of  /  (i.e.  in  type  i  -  1  if  / 
is  of  type  i),  be  intrinsically  determined.  Actually  a  big  part  of  Kleene’s  work 
is  devoted  to  explaining  what  “intrinsic  determination  of  bases”  means,  by  the 
definition  of  a  class  of  oracles  which  compute  unimonotone  functions.  Our  aim 
is  to  show  that  these  oracles  are  a  particular  kind  of  sequential  algorithms,  and 

hence  that  unimonotone  functions  are  sequential  in  the  sense  of  Kahn-Plotkin 
2 

Since  any  sequential  function  is  stable,  the  first  clause  of  the  definition  of 
unimonotone  function  (uniqueness  of  bases)  is  subsumed  by  the  second  one 
(intrinsical  determination  of  bases).  In  what  follows  we  focus  on  this  second 
requirement:  a  function  is  unimonotone  if  it  is  computed  by  an  oracle  of  the 
form  that  we  are  going  to  define. 

From  now  on  let  /*  and  O'  range  over  the  classes  of  type  i  unimonotone 
functions  and  type  i  oracles  respectively.  An  oracle  O'  is  described  by  her  (we 
follow  Kleene’s  indications  about  sex  of  oracles)  behaviour  when  presented 
with  an  envelope  containing  a  i  —  1  oracle  (a  type  0  oracle  being  simply  an 
element  of  type  0). 


2 Actually,  since  sequential  functions  are  continuous,  only  continuous  and  unimonotone 
functions  are  sequential. 


3.1  Type  1  oracles 

Type  1  oracles  compute  unimonotone  functions  from  type  0  to  type  0.  When 
presented  with  an  envelope  containing  an  element  of  type  0  (the  envelope  being 
empty  if  this  element  is  undefined),  a  type  1  oracle  0 1  behaves  in  one  of  the 
following  ways: 

case  1.1  She  does  nothing.  In  this  case  O1  computes  the  completely  undefined 
function  Az.J_.  Such  an  oracle  will  be  called  the  empty  type  1  oracle  and 
noted  ti1. 

case  1.2  Without  opening  the  envelope,  she  prounounces  that  the  result  of  the 
computation  is  the  integer  n.  In  this  case  O1  computes  the  nonstrict 
constant  function  Xx.n. 

case  1.3  She  opens  the  envelope,  so  declaring  that  the  function  she  computes  is 
strict.  If  the  envelope  is  empty  (i.e.  if  we  have  presented  her  with  the 
bottom  element  of  type  0),  she  stands  mute,  if  it  contains  an  integer 
n,  she  may  either  stand  mute  or  give  an  integer  m  as  result,  depend¬ 
ing  on  n.  In  this  case  O1  computes  the  function  the  graph  of  which 
is  {(n^mj), .. .,(«*, mi), .. .},  a  pair  (n,, m,)  belonging  to  this  graph 
if  and  only  if  O1  gives  m,  as  result  when  presented  with  an  envelope 
containing  n,-. 

Functions  computed  by  type  1  oracles  are  clearly  monotone,  and  it  is  easy  to 
see  that  any  monotone  function  from  type  0  to  type  0  is  computed  by  some 
oracle.  Actually  any  function  other  than  Aar.X  is  computed  by  exactly  one 
oracle.  The  function  Az._L  is  computed  by  (case  1.1)  and  by  the  oracle 
(operating  under  case  1.3)  which  opens  envelopes  but  never  gives  a  result. 

3.2  Type  2  oracles 

Type  2  oracles  compute  unimonotone  functions  from  type  1  to  type  0.  When 
presented  with  an  envelope  containing  a  type  1  oracle  O1  which  computes  /*, 
a  type  2  oracle  O 2  (computing  /2)  behaves  in  one  of  the  following  ways: 

case  2.1  She  does  nothing.  In  this  case  0 2  computes  the  completely  undefined 
function  /2  =  A/1.!.  Such  an  oracle  will  be  called  the  empty  type  2 
oracle  and  noted  tt2. 

case  2.2  Without  opening  the  envelope,  she  pronounces  that  the  result  of  the 
computation  is  the  integer  n.  In  this  case  O 2  computes  the  nonstrict 
constant  function  /2  =  A fl.n. 

case  2.3  She  opens  the  envelope,  so  revealing  that  she  wants  information  about 
O1  before  deciding  whether  to  give  a  result.  To  obtain  such  information, 
she  begins  to  question  O1  by  passing  her  an  empty  envelope  (“there 
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is  nothing  lost  by  our  supposing  that  the  a2-  oracle  starts  with  the 
preliminary  question  “a1  (a0)?”  using  an  empty  envelope” (9).  Actually, 
as  we  shall  see,  this  is  the  only  possible  choice  in  the  CDS  framework). 
According  to  the  behaviour  of  O1,  three  cases  are  possible: 

case  2.3.1  O1  stands  mute  (she  operates  under  case  1.1).  In  this  case  O2 
stands  mute  too  (any  type  2  oracle  operating  under  case  2.3  defines 
a  strict  functional). 

case  2.3.2  O1  gives  the  result  n  without  opening  the  envelope  (she  operates 
under  case  1.2).  Observing  this,  O2  may  either  stand  mute  or  give 
an  integer  m  as  result,  depending  on  n.  In  any  case  O2  cannot  con¬ 
tinue  to  question  O1,  since  she  knows  everything  about  f1  (namely 
that  f1  =  A x.n). 

case  2.3.3  0 1  opens  the  envelope  (she  operates  under  case  1.3).  Observing  this 
O2  may  either  stand  mute,  or  pose  a  first  non-preliminary  question 
r„  G  N.  Questioned  with  r0,  O1  will  either  stand  mute  or  give  an 
integer  result  n0.  In  the  former  case  O2  stands  mute,  in  the  latter 
she  can  either  stand  mute,  thus  deciding  that  the  information  so 
far  recorded  about  Ol  (namely  that  0 1  opens  envelopes  and  that 
she  gives  n0  as  result  when  presented  with  r0)  is  sufficient  to  rule 
out  that  /2(/1)  be  defined,  or  give  a  result  m  G  N  (declaring  that 
P(P)  —  m)i  or  query  O1  with  another  integer  rt.  In  general  in 
this  subcase  2.3.3,  a  series  of  questions  (possibly  extending  into  the 
transfinite)  will  be  asked  to  O1  by  02  with  distinct  numbers 


r0i  rl>  •  •  •irkt  •  •  • 

and  will  be  answered  by  O1  with  numbers 


^0?  •  •  •  *  Tiki  •  •  • 

where  n,-  =  /1(ri)  and  r,  is  determined  by  O2  from  only  the  infor¬ 
mation  that  0 1  opens  envelopes  and  P(rj)  =  nj  for  j  <  i.  This 
continues  until  either,  for  a  given  ordinal  r,  0 1  does  not  answer  to 
rT,  which  makes  P(fl)  undefined,  or  O 2  decides  that  the  informa¬ 
tion  so  far  collected  about  O1  makes  /2(/1)  undefined,  or  finally 
(only  after  at  least  one  non-preliminary  question  has  been  posed) 
that  it  is  sufficient  to  give  m  as  result  (P(P)  =  m). 

We  have  to  prove  that  any  type  2  oracle  computes  a  monotone  function  of 
type  2.  Firstly  we  have  to  show  that,  when  we  apply  an  oracle  O2  to  an  oracle 
Ol  computing  P  (i.e.  when  we  present  0 2  with  an  envelope  containing  O1), 
the  result  of  the  computation  (if  any)  depends  only  on  f1.  This  is  trivially 
the  case  if  f1  ^  Ai.i.,  since  in  this  case,  as  remarked  in  the  section  devoted 
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to  type  1  oracles,  there  is  a  unique  0 1  which  computes  f1.  If  f1  =  Ax.l,  it 
is  sufficient  to  remark  that,  if  O 2  gives  a  result,  she  must  operate  under  case 
2.2,  and  hence  the  result  does  not  depend  at  all  on  O1. 

Next  we  have  to  prove  that  the  function  computed  by  O 2  is  monotone.  Let 
P,gl  be  unimonotone  type  1  functions  computed  by  O1  and  P1  respectively, 
and  such  that  / 1  <  g1  (i.e.  such  that  for  any  x  of  type  0,  fl{x)  =  m  — ► 
gx(x)  =  m).  We  have  to  show  that  if  0 2  gives  a  result  when  applied  to  O1 
than  she  gives  the  same  result  when  applied  to  P1.  This  holds  trivially  if  O 2 
operates  under  cases  2.1  or  2.2.  Suppose  that  O2  operates  under  case  2.3: 
if  both  O1  and  P 1  come  under  case  1.2,  then  fl  =  gl;  if  both  O1  and  P 1 
come  under  case  1.3,  then  O2  will  ask  O1  the  same  questions  r0, . . . ,  rt, . . . 
and  receive  the  same  answers  n0, . . . ,  nk, . . .  from  Ol  as  from  Pl,  and  hence 
will  give  the  same  result.  Moreover  it  is  impossible  that  0 1  comes  under  case 
1.2  and  P1  under  case  1.3  (since  / 1  <  g1)  and  that  either  0 1  or  P1  come 
under  case  1.1,  since  we  are  supposing  that  O2  gives  a  result  when  applied  to 
O1.  The  only  case  left  is  that  O1  comes  under  case  1.3  and  P1  under  case  1.2, 
that  is  gl  is  the  non-strict  constant  A x.m  for  some.m  6  N  and  f1  has  graph 
{(nj,m),(n2,m),  ...}  where  {ni,n2,...,n*,...}  C  N.  Actually 

in  this  case  O2  could  give  value  n  on  O1  and  value  l  ^  n  (or  no  value  at 
all)  on  P1,  violating  monotonicity.  In  this  case  the  monotonicity  is  assured 
by  stipulating  that  a  type  2  oracle  which  gives  result  n  in  subcase  2.3.3  on 
the  basis  of  knowing  that  fl(rk)  =  m  for  all  k  less  then  a  given  ordinal  r, 
must  give  the  same  result  in  case  2.3.2  on  the  oracle  computing  the  non-strict 
constant  A  x.m.  This  assumption  makes  the  function  computed  by  a  type  2 
oracle  monotone. 

For  any  type  2  function  /2  other  than  a  non-strict  constant  f2  =  A p.m, 
there  exist  infinitely  many  type  2  oracles  computing  it.  This  is  essentially 
due  to  the  fact  that  when  operating  under  case  2.3,  an  oracle  O2  may  query 
arbitrary  sequences  of  unuseful  questions,  a  sequence  being  unuseful  if,  no 
matter  what  is  answered  by  O1,  O2  never  gives  a  result. 

In  the  following  examples  (borrowed  from  [9])  we  show  two  functions  from 
type  1  to  type  0  which  can  not  be  computed  by  type  2  oracle.  The  first  one 
does  not  respect  the  “unicity  of  bases”  requirement,  the  second  one  has  unique 
bases,  but  they  are  not  intrinsically  determined.  The  interesting  fact  is  that 
these  functions  are  the  reformulation  in  the  framework  of  Kleene’s  types  of 
the  parallel-or  function  and  of  Berry’s  example  of  a  stable  and  non-sequential 
function  [1]. 

example  3:  Let  f},  i  =  1,2,  be  the  type  1  functions  defined  by  the  following 
graphs: 

ft  ={(0,0)}  =  {(1,1)} 

and  let  / 2  be  such  that  Pif1)  =  0  if  there  exists  t  <  2  such  that  f}  <  p,  and 
be  undefined  otherwise.  The  function  g1  =  {(0,0),  (1,1)}  has  no  basis  with 
respect  to  /2.  An  oracle  for  /2  should  operate  under  case  2.3,  and,  in  subcase 
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2.3.3,  she  should  pick  up  a  r0  €  N  such  that,  for  i  <  2,  //(r0)  be  defined,  but 
such  a  r0  does  not  exist.  ■ 

example  4:  Let  ff,i  =  1,2,3  be  the  type  1  functions  defined  by  the  following 
graphs: 

fl  =  {  (1)0), (2, 1)} 

fl  =  {(0,1),  (2,0)} 

fl  =  {(0,0),  (1,1)  } 

and  let  / 2  be  such  that  /2(/1)  =  0  if  there  exists  i  <  3  such  that  //  <  /*,  and 
be  undefined  otherwise.  An  oracle  for  f2  should  operate  under  case  2.3,  and, 
in  subcase  2.3.3,  she  should  pick  up  a  r0  €  N  such  that,  for  i  <  3,  fi(r0)  be 
defined,  but  such  a  r0  does  not  exist.  ■ 

3.3  Tree-representation  of  type  2  oracles 

Type  2  oracles  may  be  represented  by  trees,  as  in  [10].  A  non-trivial  oracle 
O2  (i.e.  an  oracle  operating  under  case  2.3),  is  represented  by  a  tree  of  the 
following  kind: 

•  Non-leaf  nodes  represent  the  queries  of  O2  (the  root  containing  the  pre¬ 
liminary  empty  query). 

•  Arcs  are  labelled  by  answers  provided  by  the  argument  oracle  Ol. 

•  Leaves  represent  the  result  given  by  O 2  when  presented  with  the  O1 
(partially)  described  by  the  corresponding  branch. 

Such  a  tree  describes  only  “useful”  computations  of  O2,  i.e.  computations  at 
the  end  of  which  O2  gives  a  result. 

example  5:  The  following  (linear)  tree  represents  a  type  2  oracle  computing 
the  (non-Scott-continuous)  functional  /2  defined  as  follows: 

f\fl)  =  0  if  and  only  if  fx  is  the  identity  function  on  N 

P? -  V  optn.  0?  — 1?  — 2?  •••  n?  —  n+1?  •••  0 


The  functional  /2  of  the  example  above  is  not  Scott-continuous  since  the 
oracle  computing  it  gets  an  infinite  amount  of  information  about  her  argument 
before  giving  a  result;  the  following  easy  result  relates  continuity  to  finiteness 
of  trees: 

Proposition  1  A  unimonotone  function  /2  computed  by  O2  is  Scott-continuous 
if  and  only  if  the  tree  representing  O2  has  no  infinite  branch. 


example  8:  The  following  tree  represents  an  oracle  computing  the  functional 
/ 2  defined  as  follows: 


P(f') 


o 

i 

undefined 


if/1  =  Xx.l  or  {(0,3),  (1,0)}  C  p  or  {(0,0)}  C  p 

if  p  =  \x.2  or  {(0,3),  (1,1)}  C  p  or  {(0,27),  (2, 3)}  C  p 

otherwise 


The  extensionality  constraint  which  assures  the  monotonicity  of  functions  com¬ 
puted  by  type  2  oracles  imposes  a  global  condition  on  trees.  In  the  example 
above,  for  instance,  if  we  remove  the  branch  labelled  “without  opening,  O1 
says  0”  we  lose  monotonicity  (because  of  the  branch  labelled  “O1  opens”  and 
“0”).  Note  that  the  condition  /2(Aa:.0)  =  0  is  not  explicitly  stated  in  the 
definition  of  /2,  since  it  is  subsumed  by  /2({(0,0)})  =  0,  by  monotonicity  of 

P- 

In  the  last  example  we  show  how  branchings  can  be  infinite: 
example  7:  The  following  tree  represent  an  oracle  computing  the  functional 
/2  defined  as  follows: 


P(P)  =  1  if  and  only  if  P( 0)  is  defined 
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An  interesting  remark  about  type  2  oracles,  in  view  of  the  comparison  with 
sequential  algorithms,  is  that  the  tree 


which  would  represent  an  oracle  that  gives  result  0  on  the  basis  of  the  fact 
that  his  argument  0 1  opens  envelopes  (i.e.  that  O1  computes  a  strict  function) 
is  not  allowed,  since  in  case  2.3.3,  if  O 2  gives  a  result,  she  must  do  so  after 
having  asked  at  least  one  non-preliminary  question. 

4  Concrete  data  structures  for  Kleene’s  finite  types 

We  define  the  concrete  data  structure  we  need  to  compare  unimonotone  func¬ 
tions  and  sequential  algorithms:  N°  is  the  cds  of  natural  number,  and,  for 
j  =  0,1,2,  7VJ+1  is  the  cds  of  sequential  algorithms  from  to  N°  (actually 
N3  will  not  be  trated  in  this  section,  see  the  last  section). 

=  ({*},  w,  {(*,  n)  |  n  <E  w),  (h  *}) 

A  state  of  N°  is  either  the  empty  set  or  the  singleton  {(*,  n)}  for  some  n  6w, 
simply  noted  by  n. 

The  cells  of  the  cds  N 1  are  elements  of  the  cartesian  product  D(N°)  xCjv«, 
i.e. 

CNi  =  {(0,  *)}  (J{(n,  *)|n€w} 


The  values  of  JV1  are  defined  by 


VNi  =  {valof  *}  (J{output  n  |  n  e  w} 


and  its  events  by 

ENi  =  {(initi,  valof  *)}  (J{(initi,  output  n)  \  n  £  w}  [J{((n,  ♦),  output  m)  |  n,m  €  w} 

The  cell  (0,*)  is  initial  (and  we  call  it  initi),  and  any  other  cell  is  enabled 
by  the  event  (initi,  valof  *),  the  enabling  being  of  type  “valof”  (see  definition 
4).  We  remark  that  in  the  cds’s  TV' ,  j=l,2,3,  enablings  of  type  “output”  cannot 
occur,  since  the  unique  cell  of  the  target  cds  N°  is  initial.  Hence  nonempty 
and  finite  states  of  Nx  are  either  of  the  form 

{(initi,  output  n)} 

(the  function  computed  by  this  algorithm  being  the  nonstrict  constant  Am.n) 
or  of  the  form 

{(initi,  valof  *)((nx,*),  output  mt), ...  ,((n*.*),  output  m*)} 

for  Jfc  >  0,  and  for  1  <  i  <  j  <  k  n<  ^  n;-  (the  function  computed  by  this 

algorithm  being  {(na,  mi),  •  •  •  >  (n*i  ”»*)})• 

In  the  latter  case  and  for  k-  0,  we  get  the  “purely  intensional”  algorithm 
{(initi,  valof  *)},  which  is  extensionally  equivalent  to  the  empty  algorithm  , 
but  plays  a  major  role  in  the  definition  of  type  TV2.  For  making  more  readable 
the  treatment  of  higher  types,  let  us  introduce  some  abbreviation  for  the  finite 
states  of  TV1: 

{(initi, output  n)}  will  be  noted  Xi.n 

{(initi,  valof  *)((nu*),  output  mi),...,  ((nk,  *),  output  mk)}  for  k  >  0,  will  be 
noted  {(ni,  mj), . . . ,  (n*,  m*)}  (note  that  the  algorithm  {(nlt  mj), . . . ,  (nk,  m*)} 
for  k  =  0  is  not  the  empty  algorithm,  since  it  contains  the  event  (initi ,  valof  *). 

Let  us  now  pass  to  TV2:  its  cells  are  obtained  by  coupling  finite  elements 
of  TV1  with  the  unique  cell  of  TV0: 

CN>  =  {(0,*)}|J{(Ai.n,*)}lJ{({(ni,mi),...,(ni,mt)},*)} 

for  n ,k,ni,mi  £  u,  k  >  0  and  1  <  i  <  j  <  k  m  ±  ny.  As  for  TV1,  the  unique 
initial  cell  of  TV2  is  (0,*),  which  we  call  init2. 

The  values  of  TV2  are  defined  by: 

VN *  =  {valof  c  |  c  €  CN>}\J{output  n  \  n  €  w)  = 

=  {valof  initi}\J{valof  (n,  *)  |  n  £  w)  |J {oxdput  n  \  n  £  u>] 
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Let  us  see  which  “valof  events”  are  legal  in  TV2  (a  “valof  event”  is  one  of  the 
form  (c,  valof  c')).  Recall  that  in  a  functional  cds  an  event  (xc',  valof  c)  is 
legal  if  and  only  if  c  6  A(x),  hence  the  valof  events  in  N2  are  the  following: 

{(»ntt2,ra/o/»mt1)}U{(({(niimi)>  •••» (n*, mk)), *), valof  (n,*))  |  Vi  <  kn{  ^  n} 

On  the  other  hand  any  couple  (c,  v)  where  c  €  CV/j  and  t>  is  an  output  value 
of  TV 2  (i.e.  v  =  output  n)  is  an  output  event  of  TV 2  (this  is  always  the  case 
when  the  target  cds  is  flat).  Let  us  describe  now  the  enabling  relation  in  TV2: 
as  already  remarked  initi  is  the  unique  initial  cell;  moreover 

•  (initi,  valof  initi)  b  (At.n,*)  n  €  w 

•  (initi,  valof  initi)  1"  ((initi,  valof  *),*) 

•  (({(nii  mi),...,  (nk,  mt)},  *),  valof  (n,  *))  h  ({(n,,  m,), ...,  (nk,  mk ),  (n,  m)},  *) 
m  €  w 

We  can  describe  a  state  A  of  TV2  by  means  of  the  step-by-step  process  which, 
starting  from  the  empty  state,  leads  to  the  construction  of  A.  At  each  stage 
of  this  process  cells  enabled  at  the  previous  stage  may  be  filled,  and  if  they 
are  filled  by  valof  values,  new  cells  are  enabled,  as  described  above.  At  the 
initial  stage  0,  the  unique  enabled  cell  is  initi. 

stage  0  initi  is  enabled.  It  can  be  filled  either  by  an  output  value  output  n  (in 
this  case  no  more  cells  are  enabled  and  the  functional  defined  by  A  is  the 
constant  A f.n)  or  it  is  filled  by  valof  initi.  In  this  latter  case  infinitely 
many  cells  are  enabled,  namely  those  of  the  form  (At.n,  *)  n  €  w  and  the 
cell  ((initi,  valof  *),*)• 

stage  1  Any  cell  (At.n,  *)  may  be  filled  by  an  output  value  output  m,  mean¬ 
ing  that  the  functional  defined  by  A  gives  ni  as  result  when  applied  to 
the  nonstrict  constant  n.  The  cell  ((ivAti,  valof  *),*)  may  be  filled  ei¬ 
ther  by  an  output  value,  meaning  that  the  strictness  of  its  argument 
is  sufficient  for  A  to  give  a  result,  or  by  a  value  valof  (n0,*).  In  this 
latter  case  infinitely  many  cell  are  enabled,  namely  those  of  the  form 
({(n0,m)},*)  mew. 

stage  i  +  1  t  >  0  At  stage  i  a  (possibly  empty)  set  of  cells  of  the  form 

({(n0,  m0),  (n1(  mi), . . . ,  (n,_i,  n?,_i)},  *) 

have  been  enabled.  Any  of  these  cells  may  be  filled  either  by  an  output 
value,  producing  the  event 


(({(no,  m0),  (nu  mi), ...,  (n,_i,  m.-.j},  *),  output  k) 


or  by  a  value  valof  n<  such  that  n,-  ^  n,  for  j  <  i,  producing  the  event 
(({(n0, m0), (n1( mi),..., (n^, m<_ j}, *), valof  (n<(  *)) 

In  this  latter  case  the  cells 

({(no,  m0), .  m,_lt  (n„  m)},  *) 

for  m  €  w  are  enabled. 

It  is  easy  to  see  that 

A  =  [J  {  the  events  produced  at  stage  *} 

»€<*/ 

is  a  state  of  IV2,  and  that  any  state  of  N 2  may  be  constructed  in  this  way. 

5  From  oracles  to  sequential  algorithms 

In  this  section  we  show  that  any  (Scott-continuous  and)  unimonotone  function 
is  computed  by  some  sequential  algorithm.  Since  unimonotone  functions  are 
defined  via  oracles,  it  is  sufficient  to  provide,  for  any  given  oracle,  a  sequential 
algorithm  which  simulates  it.  We  begin  by  treating  the  rather  simple  case  of 
type  1  oracles,  proceeding  by  cases  according  to  the  definition  of  type  1  oracle 
given  in  section  3.1.  For  a  given  oracle  01  we  define  a  sequential  algorithm 
A 1  =  Alg^O1)  which  defines  the  same  function  as  01  (we  take  for  granted  the 
obvious  isomorphism  between  type  0  and  N°). 

case  1.1  O1  =  u1.  In  this  case  Alg{01)  is  the  empty  algorithm. 

case  1.2  Ol  is  the  oracle  that,  without  opening  envelopes,  answers  n.  In  this  case 
Alg(Ol)  =  {(initi, output  n)}. 

case  1.3  Ol  is  the  envelope-opening  oracle  that  gives  values  m1,m2, . . . ,  m*, . . . 
on  arguments  n2,  n2, . . .,  n*, . . . .  In  this  case 

Alg{Ol)  =  {(inifi,  valof  *),  ((rax,  *),  output  m, ), . . . ,  (( nk ,  *),  output 

It  is  clearly  the  case  that  0 1  and  Alg{Ol )  define  the  same  type  1  function. 
Actually  Alg  defines  a  bijection  between  type  1  oracles  and  algorithms. 

We  pass  now  to  type  2:  we  should  define,  for  a  given  type  2  oracle  comput¬ 
ing  /2,  a  sequential  algorithm  Alg(0 2)  such  that,  for  any  given  type  1  oracle  0l 
computing  f1,  Alg(02)(Alg{01))  =  /2(/1)).  This  cannot  be  done  in  general 
since,  as  showed  in  example  5,  there  exist  oracles  computing  non-continuous 
functionals,  and  we  know  that  sequential  algorithms  are  continuous.  So  we 
consider  only  continuous  oracles,  i.e.  oracles  represented  by  trees  with  no  in¬ 
finite  branch  (proposition  1).  Again  we  proceed  by  cases  on  the  definition  of 
type  2  oracles: 
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case  2.1  Ol  =  uJ.  In  this  case  Alg(02)  is  the  empty  algorithm. 

case  2.2  O2  is  the  oracle  that,  without  opening  envelopes,  answers  n.  In  this  case 
Alg(0 J)  =  {(init2,  output  n)}. 

case  2.3  This  is  the  principal  case.  We  define,  for  any  tree  T  representing  a  type  2 
oracle  O2  (in  the  sense  defined  in  the  section  devoted  to  type  2  oracles), 
an  algorithm  Alg(02)  which  computes  the  same  functional  as  O2.  This 
can  be  done  by  exploring  T  in  a  breadth-first  manner:  to  each  node  q  of  T 
will  correspond  an  event  (c,  v)  of  N2,  such  that  c  describes  the  behaviour 
of  the  type  1  algorithm  so  far  explored  in  the  branch  of  q  (remind  that 
a  cell  c  of  JVJ  is  essentially  a  finite  type  1  algorithm),  and  v  describes 
the  (valof  or  output)  action  performed  by  O2  on  such  an  algorithm, 
contained  in  q.  Any  event  produced  in  this  way  will  be  enabled  by  the 
event  corresponding  to  the  predecessor  of  q  in  T,  the  event  corresponding 
to  the  root  of  T  (0?)  being  always  ( init2,  valof  initi),  enabled  by  the 
empty  set. 

Before  giving  the  general  definition  of  Alg(0 2)  in  this  last  case,  we  show  the 
sequential  algorithms  corresponding  to  the  oracles  of  examples  6  and  7.  We 
keep  the  tree-structure  of  oracles.  Nodes  contain  events  and  arcs  enablings  (for 
typographical  reasons  the  arcs  are  not  explicitly  given,  but  they  can  easily  be 
reconstructed  from  the  corresponding  oracles).  However  it  is  worth  noticing 
that  the  tree  structure,  essential  in  the  tree  description  of  oracles,  is  no  more 
necessary  for  sequential  algorithms,  since  all  the  information  contained  in  the 
branch  of  the  ancestors  of  any  node  q  is  supplied  by  the  cell  of  the  event 
corresponding  to  q. 

We  show  how  to  produce  the  sequential  algorithm  Alg(02)  when  O2  is  the 
oracle  of  the  example  6,  represented  by  the  tree  T,  in  a  stepwise  manner.  At 
step  i  we  produce  an  algorithm  which  simulates  T  up  to  level  i  (i.e.  which 
simulate  branches  of  depth  less  or  equal  than  i).  In  this  example  we  use  the 
above  introduced  abbreviation  for  type  1  algorithms,  namely 

{(initi,  valof  *)((ni,*), output  mi), ..  .,((nk,*), output  m*)} 

for  k  >  0,  will  be  noted  {(ni,m1),...,(nt,mfc)}.  At  step  0  we  produce  the 
(initial)  event  ( init2 ,  valof  initi)  which  correspond  to  the  root  of  T.  This  event 
enables  infinitely  many  cells,  and  in  particular  those  we  need  for  simulating 
depth-1  branches,  as  showed  in  the  following  algorithm  (step  1): 

(({(initi,  valof  *)},*),  valof  0) 

(init2>  valof  initi) 

(({(initi,  output  0)},  *),  output  0) 

(({(initi,  output  1  )},*), output  1) 

(({(initi,  output  2 )},*), output  1) 
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The  event  (( ,  valof  ♦)},  *),  valof  0)  enables  the  cells  ({(0, 3)},  *),  ({(0, 0)}, *) 
and  ({(0,27)},*)  that  we  fill  at  step  2  in  the  following  way: 

(({(0,3)},*),na/o/(l,*)) 

(({(initu  valof  *)},*),  valof  0)  (({(0, 0)},*),  output  0) 


(initi,  valof  initx) 


(({(0,27)},*),  valof  (2,*)) 


(({(init1, output  0 )},*), output  0) 

(({(*»*<!,  output  1  )},*),  output  1) 

(({(inii u output  2 )},*), output  1) 

The  final  step  3  produces  Alg(O^)  completely  (for  typographical  reasons  we 
omit  this  stage). 

The  following  algorithm  corresponds  to  the  third  (and  final)  step  in  the 
construction  of  Alg(0 2),  where  O2  is  the  oracle  of  example  7. 

(({(0,0)},*),  out  put  1) 

(({(0,1)},*),  output  1) 

(({(0,2)},*),  output  1) 


(t'mtj,  valof  initx)  (({(initx,  valof  *)},*),  valof  0)  : 


(({(0,  «)},*).  output  1) 
(({(0,n+  1  )},*), output  1) 


We  can  now  give  a  procedure  for  constructing  Alg(0 2)  for  a  type  2  oracle 
operating  under  case  2.3,  described  by  a  tree  T:  let  Alg0(O 2)  be  the  algorithm 
{(*nit3,  valof  initx)}  (step  0). 

•  step  1 

For  any  depth- 1  branch  of  T  of  the  form 


without  opening  O3  says  m,  (Ax  m,)  * 

we  produce  the  event  (({(initx,  output  mi)},*),  output  n,). 


T 
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If  T  contains  the  depth- 1  branch: 

07 - - r°7 

(remark  that  T  contains  at  most  one  branch  of  this  kind,  by  unicity  of  the 
first  non-preliminary  question  r0  asked  to  envelopes-opening  arguments), 
we  produce  the  event  (({(tm'ti,  valof  *)},*), valof  r0}).  Let  Alg 1(02) 
be  the  algorithm 

Algl(0 2)  =  Alg°(02)  |^J{  all  the  events  produced  at  step  1} 

(remark  that  any  cell  filled  in  step  1  is  enabled  by  Alg°(02)) 

•  step  i  +  1,  t  >  0 

For  any  depth-i  +  1  branch 


0? 


o1  opens 


'  r0?  ' 


Ti? 


r,_i' 


we  produce  the  event 

(({(ro,  «o),  (ru  «i),  •  -  (^i-i, «,•_ 1)},  *),  valof  (r,-,  *)) 

and  for  any  depthi  +  1  branch  of  the  form 

07  o»  op^7~  r°? - - ri?  ••• 

we  produce  the  event 


it 


(({(ro,  n0),  (n, nx), . . ., (r^j,  n,-!)},  *), output  k) 

Remark  that  any  cell  filled  at  this  step  is  enabled  by  the  event  previously 
produced  for  the  depth-i  branch: 

07  O*  open,  r°? - ^ - r>?  r<-1? 

Let  Algi+l{02)  be  the  algorithm 


Alg,+1(02)  =  ^/^'(O2)  (J{  all  the  events  produced  at  step  i  -f  1} 


Finally  define 

Alg{0 2)  =  1J  Alg\02) 

i<depth(T) 

Once  again  it  .s  clear  that  if  T  has  infinite  branches,  as  in  example  5,  then 
Alg(02)  can  not  be  defined  (it  could  be  defined  if  infinite  cells  were  admitted 
in  N 2) 


Proposition  2  If  O'1  is  a  continuous  type  2  oracle  ,  then  Alg(02)  is  a  se¬ 
quential  algorithm  such  that,  for  any  type  1  oracle  O1, 


Alg(02)(Alg(01))  =  02(0l) 

Proof:  Alg(02)  is  a  sequential  algorithm,  i.e.  a  state  of  N2,  since  at  any  step 
we  fill  only  cells  enabled  in  the  previous  step  or  initial  cells  (at  step  0)  and 
clearly  any  cell  is  filled  with  at  most  one  value.  Let  us  prove  that  if,  for  a  given 
O1,  02(01)  =  n,  then  Alg(02)(Alg(01))  =  n.  If  O2  operates  under  cases  2.1 
or  2.2,  then  this  is  trivially  the  case.  Let  O2  operate  under  case  3.3  and  T 
be  the  corresponding  tree.  In  this  case  we  reason  by  cases  on  the  branch  b  of 
T  that  is  followed  in  the  computation  02(01).  By  hypothesis  such  a  branch 
ends  with  “n” .  Two  cases  are  possible  for  b: 

• 

0? - - - n 

without  opening  O  ®ay*  m  (Ar.m) 

In  this  case  Alg(02)  contains  the  event 

(({(tmfj,  output  m)},*),  output  n) 

Moreover  we  know  that  0 1  is  the  oracle  that,  without  opening  envelopes, 
gives  result  m,  hence 

Alg(Ol)  —  {{initx, output  m)} 

Hence  we  get  Alg{02)(Alg(01))  =  n 


in  this  case  Alg{02)  contains  the  event 

(({(ro,n0),(r1,n1),...,(r1_i,n<_1)},*), output  n ) 

Moreover  Ol  open  envelopes  and,  for  j  <  i  —  1,  O1  gives  result  n;  when 
presented  with  rj.  Hence  we  get 

{(ro>  Wo), (7*1, rh ),..., (ri_i, 71,-0}  Q  AlgiO1) 
and  hence  Alg(02)(Alg(01))  =  n 

Similarly  one  can  prove  that,  if  Alg(02)(Alg(0 x))  =  n,  than  02(01)  =  n  ■ 

We  have  seen  that  any  (continuous)  oracle  may  be  simulated  by  an  algorithm. 
The  converse  does  not  hold  essentially  because  sequential  algorithms  may  use 
intensional  features  of  arguments  in  order  to  give  a  result.  Consider  for  in¬ 
stance  the  following  type  2  sequential  algorithm 
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Strictness  —  tester  —  {( init2,valof  init1)(({(initl,  valof  *)},*),  output  0)} 

The  algorithm  Strictness  —  tester,  when  applied  to  a  type  1  algorithm  A, 
gives  value  0  if  and  only  if  the  function  computed  by  A  is  strict.  Clearly 
Strictness  — tester  does  not  define  a  monotone  functional,  and  hence  it  cannot 
be  simulated  by  an  oracle.  Actually  the  tree  representing  an  oracle  simulating 
this  algorithm  should  be 


Ol  opens 

Such  a  tree,  as  remarked  at  the  end  of  the  section  devoted  to  oracles,  is  not 
legal  since  it  violates  the  condition  “at  least  one  non  preliminary  question  is 
asked”  of  case  2.3.3  of  the  type  2  oracles  definition. 

We  end  this  section  by  showing  that  any  finite  type-2  unimonotone  function 
(i.e.  any  type-2  unimonotone  function  computed  by  a  finite  tree)  is  PCF- 
definable.  The  argument  is  very  simple,  and  we  content  ourselves  with  showing 
its  application  to  the  tree  T  of  exemple  6:  let  /2  be  the  functional  computed 
by  (the  oracle  associated  to)  T.  We  aim  to  define  a  PCF-term  F  defining  /2. 
It  is  clear  that,  for  any  type  1  function  f1,  if  /2(/')  has  to  be  defined  then 
/HO)  has  to  be  defined.  We  can  hence  safely  construct  a  prefix  of  F  of  the 
form  “A/1  case  /*( 0). ..  ”.  The  only  interesting  case  is  /*( 0)  6  {3,0,27}.  If, 
for  instance,  /1(0)  =  3,  we  can  safely  branch  on  a  “  case  fl(l) . . the  only 
interesting  case  this  time  being  /Hi)  €  {0, 1}.  If,  for  instance,  f'(l)  =  0,  we 
end  the  branching  operation  by  . .  then  0”.  We  simply  follow  the  branches 
of  T,  constructing  a  case  subterm  for  each  branching.  This  is  enough  for 
simulating  the  subtree  of  T  rooted  in  0?.  As  for  the  branches  labelled  by 
“  without  opening,  O1  says  i  ”  ending  in  a  leaf  m,  ,  it  is  enough  to  add  in  each 
“  case  ”  branching  the  alternative  “  else  if  /*(±)  =  i . . .  then  m,”. 

Proposition  3  Any  finite  type  2  unimonotone  functional  is  PCF- definable. 

6  Type  3  oracles  and  algorithms 

In  [10]  a  complete  description  of  type  3  oracles  is  given.  Once  again  (con¬ 
tinuous)  type  3  oracles  can  be  simulated  by  sequential  algorithms.  A  first 
observation  about  the  intensional  behaviour  of  a  type  3  oracle  O3  (i.  e.  about 
the  interactions  between  this  oracle  and  her  type  2  argument  O2)  is  that  in  the 
principal  case,  the  one  in  which  both  O3  and  O2  are  strict  (open  envelopes), 
O3  cannot  simply  present  O2  with  a  first  non-preliminary  question  Ol,  as  it 
was  the  case  at  lower  types.  Actually  this  simplistic  approach  had  been  fol¬ 
lowed  by  Kleene  until  a  counter-example  by  D.  Kierstead  (reported  in  [9,  page 
27])  showed  that  it  does  not  work  in  general.  Kierstead’s  example  involves 
non-continuous  type  2  functions;  we  propose  here  an  alternative  example. 
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example  8:  Consider  the  functions  :  N  — *•  N  defined  in  example  3,  and 

let  F},FX  be  PCF-terms  defining  them  (for  instance,  F\  =  An  if  n  =  0  then  0). 
Consider  now  the  type  2  functionals  f2 ,  f\  defined  as  follows: 

fi  =  /,l~0 

/f  :  f\  •-»  0 

It  is  easy  to  see  that  /f  and  /|  are  actually  unimonotone,  and  that  they 
can  be  defined  by  terms  F}\  as  follows  (we  use  a  PCF-like  syntax,  but  we 
could  have  used  Kleene’s  schemata  for  recursive  functionals  as  well): 

F\  =  A/1  if/1(0)  =  0then0 

F. 2  =  A/1  if  /*(  1)  =  1  then  0 

Consider  now  the  type  3  functional  f3  defined  by: 

f3  :  /?  •-*  0  for  1  <  »  <  2 
Such  a  functional  is  defined  by  the  following  term: 

F  =  A/2/2(An  if  n  =  0  then  P(F})  else  (if  n  =  1  then  f2(Fp) 

and  hence  /3  should  be  unimonotone.  Suppose  now  that  O3  be  an  oracle  for 
/3:  when  presented  with  an  envelopes-opening  type  2  oracle  O2,  O3  cannot 
simply  pass  to  O2  a  type  1  oracle  O1  and  wait  for  an  answer  of  O2.  O3  must 
act  in  a  more  subtle  way,  taking  into  account  the  intensional  behaviour  of  O2. 
Let  us  see  how  an  oracle  O3  computing  f3  has  to  behave  when  applied  to 
O 2  computing  /2:  having  checked  that  O 2  works  under  case  2.3  (i.e.  that  / 2 
is  strict),  O3  questions  O2  with  the  type  1  oracle  O1  which  opens  envelopes 
but  never  gives  a  result  (corresponding  to  the  type  1  sequential  algorithm 
{(to,*), valof  *}).  If  p  =  p,  then  O2  will  question  O1  with  valof  (0,*),  if 
P  —  fh  then  O2  will  question  O1  with  valof  (1,*).  In  the  former  case  the 
following  question  of  O3  will  be  f}  (i.e.  O3  will  present  O2  with  an  oracle 
computing  //)  in  the  latter  it  vill  be  f\.  In  both  cases  O3  uses  her  knowledge 
of  the  intensional  behaviour  of  O2  (i.e.  of  the  question  that  O2  has  asked  to 
O1 )  for  formulating  the  following  question  to  O2. 

In  the  following  diagram  we  show  stage  by  stage  the  interaction  between  O3 
and  O 2  (computing  a  type  2  function  f2).  At  even  stages  O3  has  the  control, 
and  she  can  either  question  O2  with  a  type  1  oracle,  or  give  a  final  answer. 
At  odd  stages  O2  can  either  question  the  Ol  she  has  been  presented  with,  or 
give  a  final  answer  (answers  are  boxed  in  the  diagram).  We  assume  that  at 
stage  0  03  has  already  learnt  that  O2  behaves  under  case  2.3.  We  represent 
type  1  oracles  by  (corresponding)  sequential  algorithms.  In  this  example  O 2 
computes  f2. 
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O3  O2  What  O3  knows  about  0 2 

0 2  opens  envelopes 

0  valof  {(0,  *),  valof  *}* 

1  valof  (0,  *)  O2  needs  the  value  of  O1  on  0 


2  valof  {(0,0)}* 


The  crucial  stage  is  stage  1,  in  which  O3  learns  that  she  can  safely  question 
O2  with  (an  oracle  for)  f{. 

The  interaction  described  by  this  diagram  may  be  seen  as  an  unfolding  of 
the  A-term  F.  Actually,  in  F  the  formal  parameter  p  is  applied  to  a  type  1 
function  which  is  f}  if  f2  =  p,  and  f\  if  P  =  f2,  getting  in  any  case  the  right 
result.  a 

Here  is  an  alternative  example: 

example  9:  Consider  the  functions  P,P,P  :  N  -*  N  defined  in  example  4, 
and  let  F2,I^,I^  be  PCF-terms  defining  them  (for  instance,  F}  =  An  if  n  = 
1  then  0  else  if  n  =  2  then  1).  Consider  now  the  type  2  functionals  p,  p,  p 
defined  as  follows: 

P  :  P  «->  0  p  ~  1 
P  ’•  P  ^  o  p  t-*  1 
P  '•  P  0  P  1 

It  is  easy  to  see  that  the  /?’ s  are  actually  unimonotone,  and  that  they  can  be 
defined  by  terms  F*  ’s  as  follows 

/1(2)  =  1  if  p(l)  =  0  then  0 

F2  =  A fl  case 

P{ 2)  =  0  if  /'(0)  =  1  then  1 
/1(0)=1  if  P(2)  =  0  then  0 

F2  =  A/1  case 

/1(0)  =  0  if  /*(!)=  1  then  1 
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/x(l)  =  1  if  p(0)  =  0  then  0 

F£  =  A/1  case 

/x(l)  =  0  if  /x( 2)  =  1  then  1 
Consider  now  the  type  3  functional  /3  defined  by: 

f3:  ft  *-»  0  for  1  <  t  <  3 
Such  a  functional  is  defined  by  the  following  term: 

n  =  0  p(FZ) 

F  =  A/2/2(An  case  n  =  1  f2(F})  ) 
n  =  2  P(F}) 

and  hence  /3  should  be  unimonotone.  Suppose  now  that  O3  be  an  oracle  for 
p:  when  presented  with  an  envelopes-opening  type  2  oracle  O2,  O3  cannot 
simply  pass  to  O2  a  type  1  oracle  O1  and  wait  for  an  answer  of  O2,  since  for 
any  type  1  function  f1  there  exists  i  <  3  such  that  f2{P)  is  not  defined.  ■ 
We  can  now  describe,  following  [10],  the  behaviour  of  a  type  3  oracle  O3 
presented  with  an  envelope  containing  a  type  2  oracle  O2.  As  for  lower  types, 
there  are  three  cases: 

case  3.1  O3  stands  mute.  It  computes  the  totally  undefined  functions  Xp±. 

case  3.2  Without  opening  the  envelope,  O3  gives  result  n.  It  computes  the  non- 
strict  constant  A pn. 

case  3.3  O3  opens  the  envelope,  revealing  that  she  will  require  some  information 
about  O2.  To  obtain  such  information,  she  begins  by  questioning  O2  with 
the  preliminary  question  0 1  =  it1.  Three  cases  are  possible,  according 
to  the  behaviour  of  O2: 

case  3.3.1  O2  does  not  open  the  envelope  and  stands  mute.  In  this  case  O3 
stands  mute  too. 

case  3.3.2  Without  opening,  O2  gives  result  n.  Depending  on  n,  O3  may  either 
stand  mute  or  give  result  m. 

case  3.3.3  O 2  opens  the  envelope.  Observing  this  O3  may  either  stand  mute 
or  embark  on  a  program  of  further  systematic  questioning  of  O2: 
the  goal  of  such  questioning  is  to  construct  (a  part  of)  the  tree 
associated  to  O2.  To  begin  with,  O3  may  choose  the  first  non- 
preliminary  question  O1  according  to  one  of  the  following  options: 

option  1  0 1  is  the  non-strict  constant  n0,  for  some  n  €  u>.  Questioned 
with  O1 ,  O2  will  either  stand  mute  (and  the  questioning  falters) 
or  give  m0  as  result. 
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option  2  O1  is  the  oracle  which  opens  envelopes  but  never  gives  a  re¬ 
sult.  Questioned  with  01,  O3  will  either  stand  mute  (and  the 
questioning  falters)  or  question  Ol  with  r0  €  u>. 

Under  either  option,  if  the  questioning  has  not  faltered,  O3  records 
what  she  has  thus  far  learned  about  O3,  namely: 


option  1 


0? 


Xx.n0 


mQ 


option  2 


0?- 


Ol opens 


TO? 


Option  1  may  be  reused  abitrarily  many  times,  with  different  con¬ 
stants,  whereas  option  2  may  be  used  at  most  one  time.  At  any 
further  stage  of  the  questioning,  O3  may  either  use  option  1  with  a 
new  constant  or  option  2  (if  it  has  not  been  already  used)  or  finally 
behave  following  the  option  we  describe  below. 

option  3  O3  picks  an  already  explored  branch  of  the  form 


0? 


'  o1  opens 


To¬ 


ni 


*V 


ri  +  l  ■ 


(  where  rt+x  is  not  necessarily  a  leaf)  and  answer  the  ques¬ 
tion  rt+1  by  nk+l  (if  rt+i  is  not  a  leaf,  n*+1  has  to  be  dif¬ 
ferent  from  the  answers  previously  provided)  .  That  is  O3 
questions  O 2  with  the  type  1  oracle  computing  the  function 
{(T‘o,«o),(r1,n1),...,(rt+1,ni+1)}.  O 2  may  either  stand  mute 
(and  the  questioning  falters),  or  ask  for  rk+2  or  finally  give  an¬ 
swer  m.  According  hich  of  the  two  last  possibilities  occurs 
the  branch  that  h.  choosed  is  completed,  giving  rise  to 

^O1  opens'0?  "»  nj  "  T ^  n*  V+l?  n*+J  r*+2? 

or  to 


0? 


'  o1  opens 


To- 


•»*!?■ 


■  r, t+i  t 


n»+ 3 


•  m 


A  stage  of  the  questioning  is  final  if  no  branch  of  the  tree  con¬ 
structed  by  03  is  ended  by  a  question  r?.  At  any  stage  03  may 
decide  to  stop  the  questioning  without  giving  any  answer,  or  to  pose 
a  new  question  (following  one  of  the  described  options)  or  finally 
(only  if  the  stage  is  final)  to  give  a  global  answer  m  on  O2. 
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This  gives  a  complete  description  of  type  3  oracles  3  but  is  far  from  assuring 
that  these  oracles  actually  compute  type  3  monotone  functions.  The  following 
requirement  is  needed:  if  O3  and  P3  are  oracles  computing  f3  and  g3,  and 
f3  <  0J>  then  if  03(03)  =  n,  also  03(P2)  =  n.  We  can  now  see  how  a  type  3 
oracles  O3  may  be  simulated  by  a  sequential  algorithms  Alg{03).  We  follow 
the  description  above,  and,  in  order  to  avoid  the  proliferation  of  brackets,  we 
note  cells  of  the  form  (a:,*)  by  x*  (x  being  a  type  1  or  2  algorithm): 

case  3.1  Alg(03)  is  the  empty  algorithm. 


case  3.2 


Alg(03)  =  {(02*,  output  n)} 


(we  index  empty  algorithms  by  their  type) 


case  3.3 

Alg(03)  =  {02*,  valof  0t*)} 

case  3.3.1  Nothing  to  say. 
case  3.3.2 


Alg(03)  =  {(02*i  valof  0i*),({(0i*,  output  n)}*,  output  m)} 
(the  other  case  being  trivial) 

case  3.3.3 

Alg(03)  =  {(02*,  va/o/01*),({(0,*,  valof  0O*)}+,  valof  QU  ESTION)} 

The  value  of  “QU ESTION ”  depends  on  the  option  choosen  by  O3, 
namely: 

option  1 

QU  ESTION  =  {(0o*,  output  n0)}* 

In  this  case  cells  of  the  form 

{(0!*,  valof  0o*),  ({(0o+,  output  no)}*,  output  m0)}* 

are  enabled.  If  O3  under  option  1  gives  answer  m0,  this  cell 
will  be  filled  by  a  question  arising  from  a  next  stage  of  the 
questioning. 

option  2 

QU  ESTION  =  {(0o*,  valof  *)}* 

In  this  case  cells  of  the  form 


3 Actually  in  Kleene’s  approach  there  exists  a  further  option,  related  to  the  fact  that  the 
tree  associated  to  a  type  2  oracle  may  contain  infinite  branches.  Since  we  are  interested  in 
unimonotone  and  continuous  functions,  we  skip  it. 
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{(0x*,  valof  0o*),  ({(vt<te0*,  valof  *))*,  valof  r0*)}+ 

are  enabled.  These  cells  may  be  filled  by  values 

valof  {(0o*,  valof  *)(r0*,  output  n0)}* 

and  they  will  be  actually  filled  and  added  to  Alg(03)  if  neces¬ 
sary,  following  the  third  option  described  below. 

option  3  By  induction  on  the  number  of  stages  so  far  performed,  we  get 
that  the  cell 

C  =  {(0i*,  valof  0o*), ({(0o*,  valof  *)}*,  valof  r0*), ..., 

({(0o*,  val*),(r0*,  output  no ),..., (r**,  output  n*)}*,  valof  rt+1*}* 
is  enabled.  Option  3  is  simulated  by  adding  the  event 

(C,  valof  {(0o+,  val*),(r0 *,  output  n0),... 


...,(rt*,  output  a*),  (r*+1,  output  ni+,)}*) 
to  Alg(03). 

When  a  final  stage  in  which  O3  gives  a  global  answer  m  on  O2 
is  reached,  O3  has  explored  a  subtree  O 2  of  O2.  Hence  the  cell 
Alg(02)*  is  enabled  by  Alg{03)  constructed  so  far,  and  it  can  be 
filled  by  output  m,  completing  the  translation. 

Proving  that  Alg{03)  computes  the  same  type  3  function  as  O3  is  straightfor¬ 
ward,  using  the  same  arguments  as  in  proposition  2,  but  the  complication  of 
notations  makes  the  proof  longer  and  less  understandable. 

7  Conclusion 

We  have  seen  that  any  (continuous  and)  unimonotone  function  is  computed  by 
some  sequential  algorithm,  and  that  the  converse  does  not  hold.  It  would  be 
interesting  to  compare  unimonotone  functions  and  the  extensional  sequential 
algorithms  defined  in  [5]  (the  algorithm  Strictness  -  tester  at  the  end  of 
section  5,  that  cannot  be  simulated  by  an  oracle  is  not  extensional). 

It  is  natural  to  ask  whether  or  not  any  finite  unimonotone  function  is  PCF- 
definable.  By  rearranging  Curien’s  examples  of  sequential  and  non-definable 
functionals  [4,  page  269])  one  can  show  that  there  exist  type  3  continuous 
and  unimonotone  functionals  which  are  non-definable.  At  type  2  the  converse 
does  hold,  the  A-term  defining  a  continuous  and  unimonotone  type  2  functional 
being  easily  constructed  from  the  finite  tree  associated  to  (an  oracle  for)  f2. 
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Abstract.  We  give  an  algorithm  for  deciding  whether  there  exists  a  de¬ 
finable  element  of  a  finite  model  of  an  applied  typed  lambda  calculus  that 
passes  certain  tests,  in  the  special  case  when  all  the  constants  and  test 
arguments  are  of  order  at  most  one.  When  there  is  such  an  element,  the 
algorithm  outputs  a  term  that  passes  the  tests;  otherwise,  the  algorithm 
outputs  a  logical  relation  that  demonstrates  the  nonexistence  of  such  an 
element.  Several  example  applications  of  the  C  implementation  of  this 
algorithm  are  considered. 

1  Introduction 

Given  a  model  of  an  applied  typed  lambda  calculus,  it  is  natural  to  consider 
the  problem  of  determining  whether  an  element  of  that  model  is  definable  by  a 
term,  or,  more  generally,  of  determining  whether  there  exists  a  definable  element 
of  the  model  that  passes  certain  tests.  One  approach  to  settling  such  questions 
makes  use  of  so-called  “logical  relations”  [PI08O]. 

Building  on  recent  work  on  logical  relations  by  Sieber  [Sie92],  we  give  an 
algorithm  for  deciding  whether  there  exists  a  definable  element  of  a  finite  model 
that  passes  certain  tests,  in  the  special  case  when  all  the  constants  and  test 
arguments  are  of  order  at  most  one.  When  there  is  such  an  element  ,  the  algo¬ 
rithm  outputs  a  term  that  passes  the  tests;  otherwise,  the  algorithm  outputs  a 
logical  relation  that  demonstrates  the  nonexistence  of  such  an  element.  Loader’s 
recent  proof  of  the  undecidability  of  the  lambda  definability  problem  [Loa94] 
shows  that  the  restriction  to  constants  and  test  arguments  of  order  at  most  one 
is  necessary.  (Specifically,  Loader  shows  the  undecidability  of  the  problem  of 
determining  the  definability  of  order-three  elements  of  the  full  type  hierarchy 
over  a  seven  element  set.) 

The  algorithm  was  first  implemented  in  Standard  ML  and  used  to  find  an 
interesting  non-definability  proof  (see  Lemma  4.16  of  [JS93]).  An  efficient  im¬ 
plementation  of  the  algorithm  in  ANSI  C  has  now  been  written  and  applied 
to  various  definability  problems,  some  examples  of  which  are  described  below. 
A  copy  of  this  program,  lambda,  along  with  supporting  documentation  and  a 
number  of  example  lambda  definability  problems,  can  be  obtained  by  anony¬ 
mous  ftp.  Connect  to  ftp.cis.ksu.edu,  login  as  anonymous,  change  directory 
to  pub/CIS/Stoughton/larabda,  retrieve  the  file  README,  and  follow  the  instruc¬ 
tions  given  in  that  file. 

‘The  research  reported  here  was  partially  supported  by  ESPRIT  project  CLICS-II  and  was 
performed  while  the  author  was  on  the  faculty  of  the  School  of  Cognitive  and  Computing 
Sciences  of  the  University  of  Sussex. 
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2  The  typed  lambda  calculus 

This  section  consists  of  the  mostly  standard  definitions  concerning  the  syntax 
and  semantics  of  the  typed  lambda  calculus  that  will  be  required  in  the  sequel. 
An  introduction  to  the  typed  lambda  calculus  can  be  found,  e  g.,  in  [Mit90]. 

The  set  of  types  T  is  least  such  that 

(i)  t  e  T, 

(ii)  a  — *r  &  T  if  <t  £T  and  r  G  T. 

We  let  — *  associate  to  the  right.  The  order  ord  a  G  w  of  a  type  a  6  T  is  defined 
by  ord  t  =  0  and  ord(<r  — ♦  r)  =  the  maximum  of  1  +  ord  a  and  ord  r.  The  ariiy 
arirgwofa  type  <r  is  defined  by  ar  i  =  0  and  ar(<r— * r)  =  1  +ar  r.  Thus,  if  n  >  0 

and  <Ti  €  T  for  all  i  G  n,  then  ord(<ro  — ► - ►  t)  =  1+  the  maximum  of 

{  ord ai  |  i  G  n  }  and  ar(<r0  —»•••—»  <r„_ i  — » i)  =  n. 

Define  crn ,  for  n  G  w,  by:  a0  =  a  and  <rn+1  =  a  —  rrn.  Thus,  for  all  n  G  w, 
ar<r"  =  n  +  artr  and  order”  is  order,  if  n  =  0,  and  is  1  +  order,  otherwise.  It  is 
easy  to  see  that  a  has  order  at  most,  one  just  when  it  is  of  the  form  tn  for  some 
n£w. 

Many  operations  and  concepts  extend  naturally  from  sets  to  T-indexed  fam¬ 
ilies  of  sets,  in  a  pointwise  manner.  For  example,  given  an  ordinal  a,  an  a-ary 
relation  over  a  T-indexed  family  of  sets  A(_)  is  a  T-indexed  family  of  cl¬ 
ary  relations  Ra  over  A„.  We  will  make  use  of  this  and  other  such  extensions 
without  explicit  comment.  We  sometimes  confuse  a  T-indexed  family  of  sets  A 
with  U„eT  A«- 

V  is  a  T-indexed  family  of  disjoint,  denumerable  sets  of  variables.  A  family  of 
constants  C  is  a  T-indexed  family  of  disjoint  sets.  We  say  that  such  a  C  is  finite 
iff  UffCT  C„  is  finite,  and  that  C  is  infinite  otherwise.  The  order  ord  C  G  wU{oo} 
of  C  is  the  greatest  element  of  {  ord  <r  |  <r  G  T  and  C„  ^  0  }  if  it  exists,  and  oo 
otherwise. 

The  family  A(C)  of  typed  X-terms  over  a  family  of  constants  C'  is  least  such 
that 

(i)  c  €  A(C%  if  c£Ca, 

(ii)  *  €  A(C%  if  x  €  V„, 

(iii)  M  N  €  A  (C)r  if  Me  A(C)<7_r  and  N  G  A  (C)„, 

(iv)  Xx.M  G  A(C)<7_t  if  x  G  V„  and  M  G  A(C)T- 

We  call  a  term  M  N  an  application  and  a  term  Xx.  M  an  abstraction.  We 
let  application  associate  to  the  left,  and  abbreviate  Xxq- ■  •  Axn_i.  M  to 
Xxo  •  ■  x„_i.  Af.  (When  n  =  0,  Axo  ■  ■  ■  x'n_i .  M  —  M .)  The  set  of  free  vari¬ 
ables  fvM  G  T^dJ ,,£T  a  term  A/  G  A(C)  is  defined  by  fvc  =  0,  fv x  =  {x}, 

f v(M  N)  =  fvMUfvA^  and  fv(Xx.M)  =  fv  M  —  {x}.  A  term  M  G  A (C)  is 
closed  iff  fvM  =  0,  and  open  otherwise. 

We  write  T(C)  for  the  family  of  A  -free  terms  over  C:  T(C)a  =  {MG  A{C)„  | 
M  is  A-free  }.  The  depth  depth  M  Gwofa  A-free  term  M  is  defined  by  depth  c  — 
depth  x  =  0  and  depth(MTV)  =  the  maximum  of  depth  M  and  1  +  depths. 
The  size  size  M  G  «  of  a  A-free  term  M  is  defined  by  size  c  =  size  x  =  1  and 
size(M  N)  =  size  M  -I-  size  N.  Thus,  if  n  >  0,  a ,  G  T  for  all  i  G  n,  A/,-  G  r(C)CT> 
for  all  i  G  n  and  d  is  a  constant  or  variable  of  type  <r0  <r„-i  — ►  t, 
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then  depth(dMo  •  ••  M„_i)  =  1  +  the  maximum  of  {  depth  Mi  \  i  (E  n}  and 
size(d  Mo  ■  ■  ■  Mn- 1)  =  1  +  size  Mo  +  ■  •  ■  +  size  Mn-i- 

We  write  fa  for  the  application  of  a  function  /  to  an  argument,  a,  and  let 
function  application  associate  to  the  left.  The  set  of  all  functions  from  a  set  A 
to  a  set  B  is  denoted  by  A  — *  B,  and  — »  associates  to  the  right. 

A  type  frame  A  is  a  T-indexed  set  such  that  At  ^  0  and  A^—t  C  Aa  —>  AT 
for  all  cr,  r  G  T.  We  say  that  such  an  A  is  finite  iff  A,  is  finite,  and  that  A  is 
infinite  otherwise.  The  set  Env^  (or  just  Env)  of  environments  over  A  consists 
of  the  set  of  all  type-respecting  functions  from  (J„eT  Va  to  (Jo€T  A„.  If  p  €  Env, 
a  €  Aa  and  x  €  Va,  then  p[a/x]  €  Env  is  the  environment  that  sends  x  to  a,  and 
sends  all  y  ^  x  to  py.  We  write  Sem^  (or  just  Sem)  for  the  T-indexed  family  of 
sets  defined  by  Sem*  =  Env  — »  A„ . 

A  A (C)-model  A  consists  of  a  type  frame  A,  together  with  an  element  6 
A„  for  each  c  £  Ca,  such  that  the  following  recursive  definition  of  the  meaning 
[M]  €  Sem„  of  a  term  M  €  A(C)<,  is  well-defined: 

Mp  =  CA 

Mp  =  px 

{MN\p  =  (fMjpHfAlp) 

[■ \x.M\pa  =  [Mjp[a/x]. 

When  M  is  closed,  we  often  write  [MJ  for  [A/Jp,  where  p  6  Env  is  arbitrary.  An 
element  a  €  Aa  is  definable  iff  there  exists  a  closed  term  M  €  A(C’)„  such  that 
a  =  [M]  We  say  that  A  is  finite  iff  A  is  finite,  and  that  A  is  infinite  otherwise. 

Our  example  model  in  the  sequel  will  be  the  monotone  function  model  of  Finitary 
PCF:  the  restriction  of  PCF  [Plo77]  to  the  booleans.  We  write  FPCF  for  the 
family  of  constants  such  that  FPCFt  =  (Q,  it,  ff} ,  FPCF,3  =  If.  and  FPCF<,  =  0 
for  all  other  a  €  T,  and  define  a  finite  A(FPCF)-model  T  as  follows.  F,  is  the 
poset  {.L,tt, ff),  where  ±  is  Cl  the  incomparable  elements  tt  and  ff,  and  F<,_T 
is  the  set  of  all  monotonic  functions  from  F„  to  Fr,  ordered  pointwise  (/  C  g  iff 
fa  C  ga  for  all  a).  We  then  set  Q?  =  1,  tt  r  —  tt,  ff^  =  ff  and  define  IFf  by 

{1  if  x  =  _L , 
y  if  x  -  tt, 
z  if  x  —  ff. 

One  shows  that  the  meaning  function  for  J-  is  well-defined  by  ordering  Env^ 
pointwise  and  showing  by  induction  on  M  that  [A/J  is  both  well-defined  and 
monotonic. 

3  Definability 

We  now  consider  the  problem  of  determining  whether  an  element  of  a  A(C)- 
model  is  definable,  or,  more  generally,  of  determining  whether  there  exists  a 
definable  element  of  a  A(C')-modeI  that  passes  cert  ain  tests.  For  example,  we  can 
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ask  whether  the  “parallel  or”  operation  of  the  A(FPCF)-model  T  is  definable, 
i.e.,  whether  there  exists  a  closed  term  M  of  type  t2  such  that 

[M]  tt  _L  =  tt 

[M]  ±  tt  =  tt 

[A/1  ff  ff  =  ff. 

One  approach  to  settling  such  questions  makes  use  of  so-called  “logical  re¬ 
lations”  [PI08O].  It  is  easier  to  say  what  logical  relations  are  if  we  first  extend 
function  application  from  elements  of  type  frames  to  tuples  of  elements  of  type 
frames,  in  a  componentwise  manner.  Suppose  A  is  a  type  frame,  o  is  an  ordinal 
and  cr,  r  €  T.  If  X  =  (x\  G  j4„_r  |  A  G  a)  and  Y  =  (y\  G  A„  |  A  €  a), 
then  we  define  the  application  XY  of  X  to  F  to  be  ( x\  y\  €  Ar  |  A  G  a), 
and  let  XY  associate  to  the  left.  Given  an  a  G  Aa,  we  sometimes  write  a  for 
(a  |  A  €<*)  G  Aaa. 

An  a-ary  logical  relation  R  over  a  type  frame  A  is  an  o-ary  relation  over  A 
such  that  X  G  iff  X  Y  G  RT  for  all  Y  G  R„ .  We  say  that  an  o-tuple 

X  €  A°  satisfies  such  an  R  iff  A'  G  Ra-  An  a -ary  logical  relation  R  over  a 
A(C)-model  A  is  an  a-ary  logical  relation  over  A  such  that  ca  satisfies  R  for  all 
c  6  C. 

The  following  theorem  and  its  corollary  show  why  logical  relations  are  useful 
for  showing  non-definability  results. 

Theorem  3.1  (Plotkin)  If  R  is  an  a-ary  logical  relation  over  a  A(C)-model 
A,  then  [MJ  satisfies  R  for  all  closed  M  €  A(C). 

Proof.  An  easy  induction  on  A(C)  shows  that,  for  all  M  G  A(C)„  and 
Px  G  Env  for  all  A  G  a,  if  { p\  x  |  A  G  a )  G  Rr  for  all  x  G  fv  M  fl  VT  and  rgT, 
then  ( [ M\px  |  A  G  a)  G  Ra-  The  result  then  follows  immediately.  □ 

Corollary  3.2  Let  A  be  a  A(C)-model,  A,  G  A“  for  all  i  G  m,  X  G  A°  and 
R  be  an  a-ary  logical  relation  over  A.  for  m  G  w  and  an  ordinal  a.  If  R  is 
satisfied  by  A,  for  all  i  G  m  but  is  not  satisfied  by  X.  then  there  is  no  definable 
a  G  A„0^..  ^am_i^l  such  that  a  A0  ■  ■  •  Am_]  =  A*. 

Proof.  Immediate  from  Theorem  3.1.  □ 

We  can,  e.g.,  use  Corollary  3.2  to  prove  Plotkin’s  result  [Plo77]  that  parallel 
or  is  not  definable  in  Finitary  PCF.  (Although  the  following  proof  is  due  to 
Plotkin,  he  never  published  it.  It  was  recently  rediscovered  by  Sieber  [Sie92].) 
Define  argument  tuples  A,  G  Ft3  for  all  i  G  2  and  a  result  tuple  X  G  F,3  by  taking 
Ao  =  (tt,  _L,  ff)  (the  first  argument  column  of  the  display  at  the  beginning  of 
this  section),  Aj  =  (_L,  tt,  ff)  (the  second  argument  column  of  that  display)  and 
X  =  (tt,  tt, ff)  (the  result  column  of  that  display).  Let  R  be  the  ternary  logical 
relation  over  F  such  that  (x,  y,  z)  G  Rt  iff  x  =  y  =  z  or  one  of  x  or  y  is  _L.  It.  is 
easy  to  show  that  R  is  satisfied  by  the  interpretations  of  Q,  tt,  ff  and  If.  But  R 
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is  satisfied  by  Ao  and  Ai  but  not  by  X ,  allowing  us  to  conclude  that  there  is  no 
definable  /  G  F,a  such  that  /  Ao  Ai  =  A'. 

Loader’s  recent  proof  of  the  undecidability  of  the  lambda  definability  prob¬ 
lem  [Loa94]  shows  that  Corollary  3.2  fails  to  provide  a  complete  method  for 
showing  non-definability  (and  thus  definability)  results.  However,  a  slight  gen¬ 
eralization  of  Theorem  4.1  of  [Sie92]  shows  that  it  does  provide  a  complete 
method  in  the  special  case  where  the  orders  of  C  and  the  <r,  ’s  are  at  most  one 
(cf.,  Theorem  1  of  [Plo80]  and  Theorem  5  of  [JT93]). 

Definition  3.3  Suppose  A  is  a  A(C)-model  and  A  =  (Ai  G  A £  |  i  £  m), 
for  m  €  u  and  an  ordinal  a  and  where  C  and  the  <T;’s  have  order  at  most 
one.  Then,  /2(A)  is  the  a-ary  logical  relation  over  A  such  that  X  G  /2(A),  iff 
a  Ao  •  ••  Am_i  =  X  for  some  definable  a  G  A„0_ 

Lemma  3.4  (Sieber)  Suppose  A  is  a  A(C)-model  and  A  =  (A ;  €  |  i  € 

m),  for  m  G  w  and  an  ordinal  a  and  where  C'  and  the  <r,  's  have  order  at  most 
one.  Then,  /2(A)  is  an  a-ary  logical  relation  over  A  that  is  satisfied  by  A j  for 
all  i  G  rn. 

Proof.  Suppose  that  c  G  Ctn.  If  Y'o, ... ,  Y‘n_i  G  /2(A),,  then  there  are  closed 

terms  M0, . . . ,  Mn_  t  of  type  cr0~ - -crm-i  —<  such  that  [A/j]  A0  •  •  ■  Am_!  = 

Yj  for  all  j  G  n.  Then,  the  term 

A/  —  Axo  ■  -  X ,,,  —  j.  C  (  A/ 1 o  l‘o  ‘■'•Cm  —  l)  ‘  ( A/,,  —  1  Xq  *  *  '  Xm_  1  ) 

of  type  <tq  — *  •  •  •  — *  (Tm_i  — - 1  is  such  that 

[M|  An  •  •  ■  Am_i  =  ca  Y'o  •  •  •  Y'„_i, 

showing  that  c>i  Y'o  ■  ■  Tn-i  €  /2(A),  Thus  satisfies  /2(A).  The  proof  that 
A i  satisfies  /2(A)  for  all  i  G  m  is  almost  identical  (x,  is  used  in  the  term  M 
instead  of  c).  □ 

Theorem  3.5  (Sieber)  Suppose  A  is  a  \(C)-model,  A  =  ( A,  G  j  i  G  m) 
and  X  G  Af ,  for  m  G  w  and  an  ordinal  a  and  where  C  and  the  <r,-  ’s  have  order 
at  most  one.  Then,  a  Ao  •  •  •  4m_i  =  A'  for  some  definable  a  G  A„0^ 
iff  every  a-ary  logical  relation  over  A  that  is  satisfied  by  A,  for  all  i  G  m  is  also 
satisfied  by  X. 

Proof.  Immediate  from  Corollary  3.2  and  Lemma  3.4.  □ 

Although  Theorem  3.5  gives  a  characterization  of  /2(A),,  the  fact  that  this 
characterization  involves  the  universal  quantification  over  all  a-ary  logical  rela¬ 
tions  over  A  that  are  satisfied  by  the  A,  limits  its  practical  utility.  It  turns  out, 
however,  that  we  can  give  a  much  more  direct  f '  racterization  of  /2(A),. 

Definition  3.6  Suppose  .4  is  a  A(C)-model  and  A  =  ( A,-  G  .4“  |  i  G  m), 
for  m  G  w  and  an  ordinal  a  and  where  C  and  the  <r,  s  have  order  at  most  one. 
Then,  L( A)  is  the  o-ary  logical  relation  over  .-1  such  that  L{  A),  is  the  least  o-ary 
relation  over  A,  that  is  closed  under  c> t,  for  all  c  G  C,  and  Ai,  for  all  i  G  m, 
where  the  c^’s  and  Ai’s  are  viewed  as  operations  over  A’f  in  the  obvious  way. 
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Lemma  3.7  Suppose  A  is  a  A(C)-model  and  A  =  (A*  G  A |  j  €  m>,  /or 
m  G  w  and  an  ordinal  a  and  where  C  and  the  's  have  order  at.  most  one.  Let 
x,  6  Va%  for  all  i  G  m  be  distinct  variables. 

(i)  Suppose  that  c  G  C Yo,...,V'„_i  G  A Q  and  Mo, - A/„-i  G  r(C),. 

If  {\  Mj  C  {x0,...,xm_i}  and 

[Axo  •  •  xm_ i .  Mj  J  Ao  *  *  A m—  i  —  , 

/or  a//  j  G  n,  then  the  X-free  term  M  —  c  Mo  ■  ■  A/„-i  o/  type  i  is  such  that 
fvMC  {x0,  ■  •  • ,  *m-i}  and 

[Axo  *  *  Xm  —  i .  A/J  Ao  *  An»—  1  —  d A  >0  *  ’  I  n  —  1  • 

(ii)  Suppose  that  i  €  m,  Vo _ ,yar<r,_i  G  .4“  and  Mo, - A/ar<,,_i  G 

r(C),.  If  i\  Mj  C  {x0, . . .  ,xm_i}  and 

|Ax0  •  •  xm_  i .  Alj  J  Ao  •  •  An)  _  i  —  }  j , 

for  all  j  G  arffj,  then  the  X-free  term  M  =  x,  A/()  •  •  •  A/ar<7,_i  o/  /</pe  i  is  such 
that  fv  M  C  {xo, . . . ,  xm_i}  and 

[Axo  ‘  ■  '  Xm_ i .  A/J  Ao  J  ‘  A,„_1  —  Ay  I  o  *  *  I  ar  n ,  —  1  ■ 

(iii)  for  a//  X  G  L(A)t,  there  is  an  M  G  HC),  si/cA  that  fv  M  C 
{xq,  . .  . ,  Xrn—  l }  and 


IAx0  •  •  xm_i .  A/j)  Aq  •  •  Am_i  —  A . 

Proof,  (i)  and  (ii)  are  immediate,  and  (iii)  follows  from  (i)  and  (ii)  by  induction 
on  L( A),.  □ 

Lemma  3.8  Suppose  A  is  a  A(C)-model  and  A  =  ( A,;  G  .4“  |  i.  G  m),  for 
m  G  w  and  an  ordinal  a  and  ivliei'e  C  and  the  Oj  s  have  order  at  most  one. 
Then,  L( A)  =  R( A). 

Proof.  L(A)  is  clearly  an  a-ary  logical  relation  over  A  that  is  satisfied  by 
A ,  for  all  i  6  m,  and  L( A)t  C  /?( A),  follows  from  Lemma  3.7  (iii).  For  the 
opposite  inclusion,  if  X  £  L( A),,  then  there  is  no  definable  a  G  -4  such  that 
a  Ao  •  •  •  Am_i  =  X,  by  Corollary  3.2,  and  thus  X  £  R{  A),.  □ 

Theorem  3.9  Suppose  A  is  a  A[C)-model.  A  =  (A,  G  .4^  |  i  G  m)  and 
X  G  A° ,  for  m  G  w  and  an  ordinal  a  and  where  C  and  the  cr,  s  have  order  at 
most  one.  Then,  a  An  •••  Am_i  =  A'  for  some  definable  a  G  -4„0_  ( 

iffx  GI(A),. 

Proof.  Immediate  from  Lemma  3.8.  □ 

Theorem  3.9  and  Lemma  3.7  suggest  the  following  algorithm  schema. 
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Algorithm  Schema  3.10  Inputs.  A  finite  family  of  constants  C  of  order  at 
most  one,  m,a  €u>,  types  <r0, . . . ,  <rm_i  of  order  at  most  one,  a  finite,  nonempty 
set  A,,  ca  G  At«  for  each  c  €  C,*,  A  =  { Ai  G  |  i  G  m)  and  A'  €  A? ,  where 

we  extend  A,  to  a  type  frame  A  by  taking  A,_T  to  be  the  set  of  all  functions 
from  A„  to  AT  for  all  (r,r£T, 

Initialization.  Pick  distinct  variables  x*  G  V„t  for  all  i  G  m.  Initialize  the  s/aje 
i  w  to  0.  Let  Z  C  Z7  be 

{  (<U,  c)  |  c  6  C,  }  U  {  (A,,  x,)  |  i  G  m  and  <t,  =  t  }, 

where  U  is  set  of  all  pairs  ( Y,M )  such  that  Y  G  Af,  M  G  r(C)t  and  fvA/  C 
{xo, . .  .,xm-i}-  Initialize  the  state  S  C  U  to  a  subset  of  Z  that  is  a  function 
with  domain  domZ.  (The  particular  subset  chosen  is  left  unspecified,  as  is  the 
method  used  to  compute  that  subset;  it  need  not  involve  the  construction  of 
Z.)  If  ( X,M )  G  S  for  some  term  M.  then  terminate  with  k  and  the  term 
AX0  '  *  *  Xni  —  i  -  A/ . 

Loop.  Let  Z  =  Z\  U  Z2,  where  Z\  C  U  is  the  set  of  all 
{?A  i'o  ■  ■  •  V„-1.  C  Mo  ■  ■  ■  M„- l) 

such  that  c  G  Ct»,  n  >  0  and  { Yj,Mj )  €  S  for  all  j  G  »,  and  Zi  C  V  is  the  set 

of  all 

(Aj  1  o  '  •  ^ ar u,  —  1  >  Xi  Mo  ■  ■  A/ar (Tl _ i) 

such  that  i  G  m,  ar<r,  >  0  and  (Vj  ,  A/j)  G  S  for  all  j  G  arcr,.  Pick  a  subset  S'  of 
Z  such  that  S'  is  a  function  with  domain  doraZ  -  dom.S  and  (f)  (Y,  M)  G  S' 
implies  that  size  M  <  size  TV  for  all  N  that  are  paired  with  Y  in  Z.  (The 
particular  subset  chosen  is  left  unspecified,  as  is  the  method  used  to  compute 
that  subset;  it  need  not  involve  the  construction  of  Z,  Z\  or  Zo.)  If  S'  —  0, 
then  terminate  with  k  and  domS.  Otherwise,  increment  k  by  one  and  add  the 
elements  of  S'  to  S.  (+)  If  (X,M)  G  S  for  some  term  M,  then  terminate  with  k 
and  the  term  Axo  •  •  -xm_i.  M.  Otherwise,  repeat  . 

An  instance  of  Algorithm  Schema  3.10  is  an  algorithm  formed  from  the 
schema  by  specifying  the  details  that  were  left  open.  Condition  (f)  is  included 
since  experience  suggests  that  this  will  ensure  that,  instances  of  the  schema  will 
generate  good  quality  terms.  Theorem  3.11  doesn’t  depend  upon  (f)  being  in¬ 
cluded,  however. 

Theorem  3.11  If  we  supply  the  required  inputs  to  an  instance  of  Algorithm 
Schema  3.10,  then  one  of  the  following  statements  holds. 

(i)  The  algorithm  terminates  with  a  stage  l  and  a  closed  term  of  the  form 
Axo  •  ■  •  xm-i.M ,  for  distinct  variables  x,-  G  and  a  X-free  term  M  of  type 
i  and  depth.  1.  Let  B  be  any  A{C)-modet  such  that  B =  A,.  c$  =  for  all 
c  G  C,  and  A,-  G  B",  for  all  i  G  in.  Then.  |Axo  ■  x.„_i .  A/]  A0  •••  Am_j  = 

X.  Furthermore,  if  N  G  T(C)(  is  such  that  fv  TV  C  {x0, - xm_i}  and 

[Ax0  ■  •  •  xm_i .  TV]  Aq  Am_i  =  X.  then  depth  M  <  depth  TV. 
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(ii)  The  algorithm  terminates  with  a  stage  l  and  an  a-ary  relation  Q  over 
A,  such  that  X  $£  Q.  If  B  is  a  A(C)-model  with  the  above  properties,  then 
Q=L(A)t,  so  that  there  is  no  definable  b  £  B  such  that  b  Ao  •  •  •  Am_i  =  A'. 

Proof.  Let  So  be  the  initial  value  of  S,  and  Si,  for  /  >  1,  be  S’s  value  when 
point  (t)  is  reached  for  the  /th  time  (at  which  point  Ic's  value  will  be  /;  Si  is 
undefined  if  the  algorithm  terminates  before  (J)  has  been  executed  l  times). 
Then,  the  following  properties  hold  (for  (d)-(f),  B  is  a  A(C)-model  with  the 
properties  specified  in  the  theorem’s  statement): 

(a)  If  Si  is  defined,  then  Si  is  a  function. 

(b)  If  Si+i  is  defined,  then  it  is  a  proper  superset  of  Si. 

(c)  If  Si  is  defined,  (Y,  M)  £  Si  and  either  /  =  0  or  V  ^  doinS;_i,  then 
depth  M  —  I. 

(d)  If  S,  is  defined,  then  domS;  C  L( A),. 

(e)  If  Si  is  defined  and  (Y,  M)  £  Si.  then  [Axn  •  •  ■  x„,_i.  M J  A()  •  •  •  A,„_i  = 

Y 

(f)  If  Si  is  defined,  M  £  T(C)(,  fv  M  C  {fo,...,im-i}  and  depth  M  =  /, 
then  {Ax0  •  •  xm-i-  M]  A0  ■  •  ■  A,n_i  £  dom  Si . 

The  proofs  of  properties  (a),  (d)  and  (e)  are  by  induction  on  /,  and 
Lemma  3.7  (i)  and  (ii)  are  used  in  (e)’s  proof.  The  proof  of  (b)  is  obvious. 

For  (c),  we  use  a  course  of  values  induction  on  /.  We  consider  the 
case  where  M  has  the  form  c  M0  ■■■  Mn-i  (the  case  where  M  has  the  form 
Xi  Mo  •••Mar<7,_  i  is  similar).  If  l  =  0,  then  n  =  0,  and  thus  depths/  = 
depth  c  =  0.  So,  suppose  that  /  >  0,  so  that.  Y  dom  Si-\.  Then,  n  >  0 
and  there  are  Yj  £  A°  for  all  j  £  n  such  that  (V),  Mj)  £  S/_i  for  all  j  £  n  and 
Y  =  cAY0  ■■■  y„_  i.  Let  the  stages  pj  <  I  for  all  j  £  n  be  such  that  Yj  £  dom  SPj 
and  either  pj  =  0  or  Yj  £  dom SPj _ i .  Then,  depth  Mj  =  pj  for  all  j  £  n,  by  the 
inductive  hypotheses  for  the  pj’s,  so  that  depth  M  <  l.  But,  there  must  be  a 
j  £  n  such  that  pj  =1—1,  since  otherwise  V'  £  dom  S/_i .  Thus,  depth  M  =  l. 

The  proof  of  (f)  also  proceeds  by  course  of  values  induct  ion  on  /,  and,  again, 
we  consider  the  case  where  M  has  the  form  c M0  ■■■  Mn_[.  If  /  —  0,  then 
n  =  0,  and  thus  [Axo  •  • -xm_i.  M]  Ao  •  •  •  A„,_i  =  cA  £  dom,?;.  So,  sup¬ 
pose  that  /  >  0,  so  that  n  >  0.  Let  pj  <  l  and  1)  £  .4",  for  all  j  £  n,  be 
depthMy  and  [Axo  ••  •  £m-i- Mj\  Ao  •••  Am-i,  respectively.  Then,  by  the  in¬ 
ductive  hypotheses  for  the  p} ’s,  we  have  that  Yj  £  dom  Spi  for  all  j  £  77,  so  that 
cAY0  •  •  •  y„_i  £  dom  5;.  But  |Ax0  •  ■  -xm_i.  Mj  A0  •  •  ■  Am_i  --  cA  Y0  ■  ■  ■  Vn-i, 
by  Lemma  3.7  (i),  and  thus  we  are  done. 

From  (a)  and  (b)  and  the  fact  that  there  are  only  finitely  many  o-tuples  over 
.A,,  we  can  conclude  that  there  is  a  largest  /  such  that  Si  is  defined. 

Suppose  (X,  M)  £  Si  for  some  M,  so  that  either  /  =  0  or  X  $  dom5/_i 
(otherwise,  5;  would  be  undefined).  Then,  the  algorithm  terminates  with 
a  stage  of  l  and  the  closed  term  Axo  ■  • -x„,_i.M,  and  depth  M  =  l  follows 
by  (c).  Let  B  be  a  A(C)-model  satisfying  the  specified  conditions.  Then, 
[Axo  •  •  'im-i.  MJ  Ao  •  •  •  Am_j  =  A'  by  (e).  Furthermore,  if  N  £  is 

such  that  fv  N  C  {xq,  •  •  • ,  xm_i}  and  JAx0  ■  •  ■  x,„_i .  AfJ  A0  •  •  •  A,„_  i  =  X.  then 
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Figure  1:  Lambda  definability  problems 


problem 
iota. sect 
funs.sect 
fun 
clause 
pat 
result 
cons.sect 
con 
tests.sect 
test 
test.arg 
test.result 


iota.sed  funs.sect  cons.sect  tests.sect 
iota  Elem  {  Elem  } 
functions  {  fun  } 

Fun  clause  {  clause  } 
pat  {  pat  }  =  result 
Elem  |  Var  j  _ 

Elem  |  Var 
constants  {  con  } 

Elem  |  Fun 
tests  test  {  test  } 

{  test.arg  }  =  test-result 

Elem  |  Fun 

Elem 


depth  M  <  depth  N,  since  otherwise  (f)  would  imply  that  A'  6  domS/-  for  some 
/'</.” 

Otherwise,  X  £  dom Si,  and  thus  the  algorithm  terminates  with  a  stage  of  l 
and  dom  5/.  Let  B  be  a  A(C)-model  satisfying  the  specified  conditions.  By  (d) 
and  the  fact  that  Si+i  is  undefined,  we  have  that  domS/  =  L(A)t.  Thus,  there 
is  no  definable  6  €  B  such  that  6  Ao  •  •  A„,_i  =  X,  by  Theorem  3.9.  □ 

Although  instances  of  Algorithm  Schema  3.10  always  produce  terms  of  min¬ 
imal  depth,  they  often  fail  to  produce  terms  of  minimal  size.  In  fact,  it  is  not 
hard  to  find  an  example  of  a  pair  of  terms  with  identical  depth  and  meaning, 
where  the  first  term  is  produced  by  a  schema  instance  and  the  second  has  strictly 
smaller  size  than  the  first  (see  the  lambda  definability  problem  size. lam  that 
is  included  with  lambda’s  distribution). 

4  Implementation 

In  this  section,  we  describe  an  implementation,  lambda,  of  an  instance  of  Algo¬ 
rithm  Schema  3.10,  and  give  several  examples  of  its  use.  Lambda  doesn’t  carry 
out  the  algorithm’s  steps  itself.  Instead,  it  takes  in  a  lambda  definability  prob¬ 
lem,  representing  the  algorithm’s  input,  data,  and  generates  a  C  program  that 
solves  this  problem,  producing  the  algorithm’s  output. 

The  grammar  in  Figure  1  describes  the  syntax  of  lambda  definability  problems. 
In  this  grammar,  curly  brackets  are  used  to  denote  repetition  (zero  or  more 
occurrences  of  the  phrases  they  surround).  An  element  name,  Elem,  consists  of 
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a  single  upper  case  letter  or  digit.  A  function  name,  Fun,  consists  of  an  upper 
case  letter,  followed  by  one  or  more  letters  or  digits.  A  variable  name,  Var, 
consists  of  a  lower  case  letter,  followed  by  zero  or  more  lower  case  letters  or 
digits.  As  usual,  white  space  characters  and  comments  (which  begin  with  #  and 
continue  until  end  of  line)  separate  tokens  but  are  otherwise  ignored. 

A  lambda  definability  problem  has  four  sections.  The  iota  section  lists  the 
elements  of  the  set  A, — the  elements  that  exist  at  type  i. 

The  functions  section  defines  zero  or  more  first-order  functions,  using  ML- 
style  pattern  matching.  Each  function  definition  consists  of  the  function’s  name 
followed  by  a  sequence  of  clauses,  each  of  which  must  have  the  same  number  of 
patterns  in  its  left  hand  side.  A  given  variable  may  not  appear  twice  in  the  left 
hand  side  of  the  same  clause,  and,  if  the  right  hand  side  of  a  clause  is  a  variable, 
then  that  variable  must  appear  in  the  left  hand  side  of  that  clause. 

Suppose  that  the  body  of  a  given  function  definition  has  the  form 


Po 


Pm-l 


Po'1 


_  n  - 1 


A  clause  j  matches  a  sequence  of  argument  elements  «o . flm-i  iff,  for  all 

i  €  m,  the  pattern  pj  is  the  wildcard  _  or  is  a  variable  or  is  equal  to  a,-.  The 
function  definition  must  be  completely  specified  in  the  sense  that  it  has  at  least 
one  clause  that  matches  any  given  sequence  of  arguments.  Furthermore,  each 
of  its  clauses  must  be  non-redundant.  in  the  sense  that  the  clause  matches  some 
sequence  of  elements  that  isn’t  matched  by  any  preceding  clause  in  the  definition. 
The  function  defined  by  the  function  definition  is  the  element  of  AL™  that  sends 
a  sequence  of  arguments  aoi  •  • .  ,om_i  to  ,  if  clause  j  is  the  first  clause  that 
matches  the  argument  sequence  and  r->  is  an  element.,  and  sends  the  argument 
sequence  to  a<,  if  clause  j  is  the  first  clause  that  matches  the  argument  sequence, 
rJ  is  a  variable  and  pj  =  H  . 

The  constants  section  specifies  the  family  of  constants  C .  and  thus  the  func¬ 
tions  ca  for  c  €  C. 

Finally,  the  tests  section  must  have  the  form 


ao  ao  _  \-r> 

a  o-l  ao  —  1  _  A'  o  - 1 

^0  “m-1  A 

It  implicitly  specifies  the  natural  numbers  m  and  a,  the  types  <r0, . . . ,  om _ i ,  the 
argument  tuples  Ao  G  A"0,...,Am_i  G  A°m  i  and  the  result  tuple  X  G  Af. 
The  number  of  tests,  a,  is  required  to  be  non-zero,  since  otherwise  a  method  of 
explicitly  specifying  the  types  er*  would  have  to  be  devised. 

Lambda  is  written  in  ANSI  C,  with  the  exception  of  its  lexical  analyzer 
and  parser,  which  are  written  in  lex  and  yacc  source,  respectively.  It  uses  one 
UNIX  System  V  system  call.  The  C  programs  that  it  generates  also  conform  to 
the  ANSI  standard;  they  use  several  UNIX  System  V  system  calls  in  order  to 
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implement  checkpointing.  The  programs  generated  by  lambda  make  no  use  of 
dynamic  storage  allocation  (except  during  their  initialization  phases). 

A  program  generated  by  lambda  codes  tuples  of  elements  as  integers,  and 
represents  the  algorithm’s  state  as  an  array  indexed  by  those  codes.  An  element 
of  this  array  records  (among  other  things)  whether  the  tuple  coded  by  its  index 
has  been  found.  If  it  has,  the  way  in  which  it  was  constructed  from  previously 
produced  tuples  is  also  recorded;  implicit  in  this  information  is  a  term  that 
computes  the  tuple  from  the  argument  tuples.  When  a  new  tuple  is  found 
during  a  given  stage  of  the  closure  process,  its  element  of  the  array  is  updated  to 
record  this  fact,  but  new  tuples  are  distinguished  from  existing  tuples  until  the 
stage’s  end.  New  tuples  are  produced  by  n  nested  for  loops  over  the  tuple  codes, 
where  n  is  the  greatest  number  of  arguments  that  any  constant  or  argument 
tuple  expects.  When  a  given  new  tuple  can  be  formed  in  multiple  ways,  the  first 
way  found  whose  implicit  term  has  minimal  size  is  selected. 

Figure  2  contains  our  first  example  lambda  definability  problem  (in  the  left 
column),  along  with  its  solution  (in  the  right  column).  The  comment  indicates 
that  this  problem  is  contained  in  the  file  port. lam  that  is  included  as  part  of 
lambda’s  distribution.  We  think  of  B,  T  and  F  as  standing  for  the  elements  X, 
tt  and  ff,  respectively,  of  the  monotone  function  model  T  of  Finitary  PCF.  The 
occurrence  of  B  in  the  constants  section  stands  for  the  constant  Q  of  Finitary 
PCF,  which  is  interpreted  as  X  in  T.  The  problem  is  to  determine  whether 
parallel  or  is  definable  in  models  of  Finitary  PCF  that  consist  of  { _L ,  tt,  fF }  at 
type  i  and  in  which  the  constants  are  interpreted  in  the  same  way  as  in  T  (it 
will  either  be  definable  in  all  or  no  models  of  this  sort). 

Applying  lambda  to  porl.lam  gti.c ates  a  C  program  that  carries  out  the 
algorithm’s  closure  process,  producing  the  relation  listed  in  the  figure.  The  stage 
of  one  indicates  that  it  took  only  one  stage  of  this  process  for  the  relation  to 
stabilize,  and  it  is  easy  to  see  that  this  relation  is  the  one  used  to  show  the  non¬ 
definability  of  parallel  or  in  the  preceding  section.  (A  triple  ( x,y,z )  is  in  the 
relation  iffar  =  j/  =  2ora;  =  Xory  =  X.)  Note  that  the  result  triple  (tt.,  tt, fF) 
is  in  the  complement  of  the  relation. 

Figure  3  shows  that  parallel  or  remains  non-definable  when  parallel  conver¬ 
gence  is  added  to  Finitary  PCF  (the  original  proof  of  this  result  can  be  found 
in  [Abr90]).  This  time  the  C  program  produced  by  lambda  was  run  in  verbose 
mode,  with  the  consequence  that  the  elements  of  the  resulting  relation  are  la¬ 
beled  with  the  stages  at  which  they  were  found.  The  relation  contains  two  more 
triples  than  does  the  relation  of  Figure  2:  (tt,  tt.  X)  (found  at  stage  2)  and 
(ff,  ff,  X)  (found  at  stage  3). 

Figure  4  shows  how  a  non-definability  result  from  Proposition  4.4.2  of  [Cur93] 
can  be  proved  using  logical  relations.  The  resulting  relation  consists  of  those 
triples  ( x,y,z )  such  that  x  =  y  =  z  or  one  of  x ,  y  or  :  is  X.  Oddly,  it  can  be 
formed  by  adding  two  triples  to  the  relation  of  Figure  3. 

Figure  5  shows  how  the  Berry-Plotkin  function  (cf..  Exercise  4.1.18.2 
of  [Cur93j)  can  be  used  to  separate  Curien’s  Ai.  .4 2  and  A3.  This  time,  the 
program  produced  by  lambda  was  run  in  both  ordinary  (middle  column)  and 
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Figure  3:  Parallel  or  is  not  definable  using  parallel  convergence 
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Figure  4 
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verbose  (right  column)  modes.  The  output  indicates  that  the  term 

H  =  Axo.  BP  (xo  ft  tt  ff )  (xo  tt  ff  ft)  (xo  ff  ft  tt ) 

(the  X’s  have  been  replaced  by  ft’s)  was  found  after  two  stages  of  the  closure 
process.  The  verbose  version  of  the  program’s  output  shows  that  the  result  triple 
(tt,  ff,  ff)  became  paired  with  the  body  of  H  at  stage  2  of  the  closure  process 
since 

(tt,  ff ,  ff)  =  BP  (1,  tt,  ff)  (tt,  ff,  1)  (ff,  1,  tt) 

and  the  triples  (X,tt,ff),  (tt,  ff ,  _L)  and  (ff,  X,tt)  were  paired  with  the  terms 
x0ftttfF,  x0ttffft  and  xofffttt,  respectively,  at  stage  1.  Similarly,  the  triple 
(X,  tt,  ff)  is  paired  with  the  term  xofttt  ff  at  stage  1  since 

(X,  tt,  ff)  =  (T1,X,.43)(l,l,±)(H.tt.tt)(fr,ff,ff) 

and  the  constantly  X,  tt  and  ff  triples  were  paired  with  the  terms  ft,  tt  and  ff 
at  stage  0. 

As  a  final  example,  we  consider  the  problem  of  determining  whether  there  is 
a  definable  element  of  type  i3  — *4  of  the  monotone  function  model  T  of  Finitary 
PCF  that  sends  an  argument  x  to  tt,  if  x  □  .4,  for  some  t,  and  sends  x  to  J_, 
otherwise.  Since  there  are  many  elements  of  F, a  that  don’t  dominate  any  of  the 
A.’s,  lambda  can’t  be  used  in  a  purely  mechanical  way  to  solve  this  problem. 

One  can,  however,  use  lambda  to  solve  lambda  definability  problems  that 
specify  that  certain  hand-picked  functions  must  be  sent  to  X  A  bit  of  exper¬ 
imentation  (see  curien4 . lain  and  c\iriew5  .lam  in  lambda's  distribution)  lead 
to  the  problem  of  Figure  6,  which  specifies  that  parallel  or,  parallel  and,  and 
their  “negations”  should  be  sent,  to  X.  Running  the  program  generated  from 
this  problem  by  lambda  takes  a  considerable  amount  of  time  (about  eight  hours 
of  cpu  time  on  a  Sun  690MP)  and  produces  the  term  Axo-  G.  where 

G  =  x0  L  M  N 
L  =  If  ^  (If  V  ft  ff)  (If  A'  tt  ft) 

A/  =  If  A'  (If  ^  ft  ff)  (If  V  tt  ft) 

N  =  IfV  (If  A'ftff)(IfZttft) 

A'  =  xo  tt,  ff  ft 
Y  =  xofttt  ff 
Z  =  xofffttt. 

By  considering  the  possible  values  of  A\  V’  and  Z,  it  is  straightforward  to  show 
that  G  produces  tt  iff  xo  dominates  one  of  the  ,4,’s  or  is  the  constantly  tt 
function.  Furthermore,  the  term  Ax0.  H .  where 


H  =  x0  M  N  L, 

is  produced  as  the  solution  of  the  variation  of  this  problem  (called  curien7.1am 
in  lambda’s  distribution)  that  specifies  that  the  .4,'s  should  be  sent  to  ff  rather 
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Figure  6:  Synthesis  of  a  term  sending  the  ^4’s  to  tt  and  parallel  or,  parallel  and, 
and  their  negations  to  J-. 
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than  to  tt,  and  H  produces  ff  iff  Xo  dominates  one  of  the  A*’s  or  is  the  constantly 
ff  function.  Thus,  it  is  easy  to  see  that  the  term 

Q  =  Ax0.  If  G (If  //  Q  tt)  Q 

solves  the  problem  of  sending  an  argument  to  tt,  when  it  dominates  one  of  the 
Aj’s,  and  sending  the  argument  to  _L,  otherwise. 

Interestingly,  I  wasn’t  able  to  generate  such  a  term  as  the  solution  to  a  single 
lambda  definability  problem.  One  obstacle  to  my  doing  so  was  the  necessity  of 
employing  at  most  seven  tests,  since  it  would  take  weeks  rather  than  hours  to 
solve  a  problem  with  eight  tests.  In  any  event,  there  is  no  chance  of  producing 
Q  itself  in  such  a  way,  since  its  body  has  depth  six  and  there  is  another  known 
solution  to  the  problem  whose  body  has  depth  five. 
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Abstract 

All  known  structures  involving  a  eoustmetivelv  obtainable  fixed  point  (or  it¬ 
eration)  operation  satisfy  the  equational  laws  defining  iteration  theories.  Hence, 
there  seems  to  In;  a  general  oqnatioual  theory  of  iteration.  This  papiT  provides 
evidence  that  there  is  no  general  iinjilicational  theory  of  iteration.  In  particular, 
the  quasi- variety  generated  by  tin-  continuous  ordered  theories,  in  which  fixed  point 
equations  have  least  solutions,  is  incomparable  with  the  quasi- variety  generate!  by 
the  pointed  iterative  theories,  in  which  fixed  point  equations  have  unique  solutions. 


1  Introduction 


Iteration  theories  were  introduced  in  1980  by  Bloom,  Elgot  and  Wright,  and  indepen¬ 
dently  by  Z.  Esik,  in  order  to  formalize  the  equational  properties  of  the  stepwise  behavior 
of  flowchart  algorithms  and  to  provide  a  calculus  for  solving  systems  of  fixed  point  equa¬ 
tions.  Iteration  theories,  which  are  (Lawvere)  algebraic  theories  enriched  by  a  fixed 
point  operation,  have  basic  operations  which,  in  the  flowchart  setting,  denote  compo¬ 
sition,  a  case  statement,  and  a  looping  or  iteration  operation.  It  now  appears  that  the 
equational  laws  of  iteration  theories  are  quite  comprehensive.  It  has  been  shown  that  in 
all  structures  that  have  been  used  as  semantic  models,  the  equational  properties  of  the 
fixed  point  operation  are.  captured  by  the  axioms  describing  iteration  theories.  These 
structures  include 

•  the  (equivalence  classes)  of  the  flowchart  schemes  themselves 

•  cj-continuous  algebras 

•  theories  of  partial  functions 

*  Partially  supported  by  a  joint  grant  from  the  NSF  and  the  Hungarian  Academy  of  Science 
'Partially  supported  by  a  grant  from  the  National  Foundation  for  Scientific  Research  of  Hungary  and 
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•  finitary  and  infinitary  regular  languages 

•  trees  and  synchronization  trees 

•  the  continuous  functors  involved  in  the  specification  of  circular  data  types 
and  others. 

Thus,  the  notion  of  iteration  theory  appears  to  he  a  unifying  concept  in  many  areas  of 
theoretical  computer  science.  We  think  it  is  important  therefore  to  investigate  various 
aspects  of  this  notion.  Equational  axioms  for  iteration  theories  were  given  in  [13,  14,  21, 
22,  9,  16].  All  of  these  sets  of  axioms  involve  a  complicated  equation  scheme  that  we 
call  the  commutative  identity.  For  example,  in  (13),  other  than  the  commutative  identity, 
there  are  three  equational  schemes:  the  left,  and  right  zero  identities  and  the  pairing 
identity  (see  below). 

Most,  of  the  known  examples  of  iteration  theories  which  are  closely  related  to  natural 
models  of  computation  satisfy  a  simple  implication  scheme,  the  functorial  dagger  im¬ 
plication ,  which  is  much  easier  to  establish  than  the  commutative  identity  and  which 
in  fact  implies  the  commutative  identity.  The  quasi-variety  FD  of  structures  which  are 
models  of  the  functorial  dagger  implication,  the  zero  identities,  and  the  pairing  identity, 
has  the  property  that  the  least,  equational  class  containing  FD  is  the  class  of  all  iteration 
theories.  This  fact  is  closely  related  to  the  fact,  recently  discovered  independently  by 
K.B.  Arkhangelsk  and  P.V.  Gorshkov  [1),  D.  Ivozen  [18]  and  D.  Krob  [19]  that  the  reg¬ 
ular  sets  have  simple  finite  implicational  axiomatizations,  although  they  have  no  finite 
equational  axiomatization. 

One  might,  ask  whether  there  is  a  general  implicational  theory  of  iteration,  as  general  as 
the  equational  axioms  determining  the  variety  of  iteration  theories.  In  order  to  answer 
this  question,  we  investigated  the  implicational  theories  of  a  number  of  quasi-varieties 
which  are  subclasses  of  the  class  of  all  iteration  t  heories.  Many  of  these  quasi-varieties  are 
of  interest  in  themselves.  Further,  each  has  the  property  that  the  least  variety  it  generates 
is  either  the  variety  of  all  iteration  theories  or  the  variety  of  all  iteration  theories  with  a 
unique  morphism  1  — >  0.  As  is  shown  below,  apparently  there  is  no  general  implicational 
theory  applicable  to  all  of  our  examples.  In  particular,  the  quasi-variety  fl  in  which 
systems  of  fixed  point  equations  have  least  solutions,  and  the  quasi- variety  PI  in  which 
(nontrivial)  systems  of  fixed  point,  equations  have  unique  solutions,  have  incomparable 
implicational  theories. 


2  Preliminaries 

In  this  section,  we  give  the  precise  definitions  needed  to  understand  the  later  results. 
Familiarity  with  [7]  or  [8]  would  be  helpful.  We  will  use  the  following  notation.  For 
n  >  0,  the  set  [n]  is 

M  =  {1,2,. ..,n}. 

In  any  category,  the  composite  of  morphisms  /  :  X  — »  Y  and  g  :  Y  —>  Z  is  written 
f  ■  g:  X  -*  Z. 
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We  prefer  the  following  definition  of  an  algebraic  theory. 

Definition  2.1  An  algebraic  theory  i.i  a  category  T  whose  objects  are  the  nonnegative 
integers  n,  n  >  0.  For  each  n  >  0.  there  are  n  distinguished  morphisms 

i„  :  1  -»  n 

with  the  following  coproduct  property.  For  any  family  of  morphism*  fc  :  1  ->  p,  for  i  e  [nj. 
there  is  a  unique  morphism  f  :n—»  p  such  that 

»..  •/  =  fi,  (1) 

for  each  i  €  [*»].  A  morphism  of  algebraic  theories  p  :  T  — *  T'  is  a  functor  which 
presemes  objects  and  distinguished  morphisms,  i.e..  mp  =  n  and  inp  —  i„.  for  all  n  >  0 
and  all  i  €  |n]. 

The  morphism  /  determined  by  (1)  is  called  the  source  tupling  of  the  morphisms  /;,  and 
is  written 


/  =  </i . /..)• 

In  the  case  that  n  =  0,  the  condition  (1)  amounts  to  the  requirement  that,  there  is  a 
unique  morphism  0,, :  0  — »  p,  for  each  p.  When  n  =  1,  we  always  assume  that  f\  —  (/i ). 
For  any  n  >  0,  the  identity  morphism  n  -»  n  will  be  denoted  using  boldface  by  1„.  Note 
that  1  tt  ~  (In,  2f, , . . . ,  n„). 

Suppose  that  T  is  an  algebraic  theory.  For  each  (set  theoretic)  function  f  :  [n]  — ►  [p], 
there  is  a  “base  morphism”  /' :  n  — ►  p  defined  as  the  source  tupling  of  the  distinguished 
morphisms  (*"/),,  :  1  — ♦  p.  i  €  {nj.  When  T  is  nontrivial,  i.e.,  when  there  are.  at  least 
2  morphisms  1  — *  2  in  T,  the  map  from  functions  to  base  morphisms  is  injective.  We 
will  usually  identify  base  morphisms  n  — »  p  with  functions  [n]  — ►  [p],  A  base  morphism 
is  called  surjective  or  a  permutation,  etc.,  when  the  corresponding  function  has  that 
property. 

The  coproduct  properties  of  theories  imply  that  for  any  pair  of  morphisms  /  :  n  — »  p  and 
g  :  m  — *  p  in  T,  there  is  a  unique  morphism  (f,g)  :  n+m i  — »  p  such  that  n-{f,  g)  =  /  and 
^•'{fiO)  =  g i  where  k  :  n  — ►  n+m  and  A  :  m  — >  n  +  m  are  base  morphisms  corresponding 
to  the  inclusion  and  translated  inclusion  functions.  The  morphism  {/,</)  :  n  +  ;n  — >  p  is 
called  the  source  pairing  of  /.  g. 

For  any  pair  of  morphisms  /  :  n  — *  p  and  g  :  m  — >  q,  we  write  /  0  g  for  the  morphism 
{/  •k,  g-\)  :  n  +  m  — *  p  +  q„  where  now  k  :  p  — *  p  +  q  and  X  :  q  —*  p  +  q.  The  morphism 
/  $  g  is  called  the  separated  sum  of  /,  g. 

Definition  2.2  A  preiteration  theory  T  is  an  algebraic  theory  enriched  by  an  iter¬ 
ation  operation  f  >— *  /*,  where  f  :  n  — »  n  +  p  and  /*  :  n  — >  p.  A  morphism  of 
preiteration  theories  p  :  T  — *  T'  is  a  theory  morphism  which  preserves  the  iteration 
operation .  i.e..  /*£  =  (/+)*.  for  all  f  :  n  — .  n  +  p  in  T. 

The  operation  *  need  not  satisfy  any  properties. 
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Definition  2.3  An  iteration  theory  li  a  preiteration  theory  in  which  the  iteration 
operation  eatiefi.es  the  follouting  four  identities:  (see  (13]) 

•  Left  zero  identity 

(0..*/)*  =  /, 

all  f  :  n  — ►  p 

•  Right  zero  identity 

(/*«„)»  =  /'*0,„ 

all  f  :  n  — >  n  +  p. 

•  Pairing  identity 

</.$>*  =  *‘> 
all  f  :  n  — >  ti  +  m  +  p,  g  :  m  — >  n  +  m  +  p.  where 

h  '=  Q  ' 

•  Commutative  identity 

<lm ■/>•/•  (/>i  *l„), ,„•/»•/■  (/>„.*  I,,))’  =  /j •(/  ■(/>* I,.))', 

all  f  :  n  — *  m  +p,  surjective  base  p  :  m  — *  n.  and  base  p-t  :  m  — *  m,  i  €  |m],  such 
that  pi-  p  —  p. 

The  above  four  identities  imply  the  following  two: 

•  Fixed  Point  Identity 

/'  = 

all  /  :  n  — *  n  +  p. 

•  Permutation  Identity 

(-•/•(t-1  =  if/t, 

for  all  f  :  n  —*  n  +  p  and  all  base  permutations  -  :  n  —>  n. 

The  commutative  identity  is  the  axiom  which  is  most  difficult  to  verify  (and  to  under¬ 
stand!).  By  replacing  it  with  certain  implications,  we  will  obtain  some  quasi-varieties 
which  generate  the  class  of  all  iteration  theories. 

First,  we  give  a  name  to  a  simpler  group  of  identities. 
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Definition  2.4  A  Conway  theory  is  a  preiteration  theory  which  xatitfic.it  the.  zero  iden¬ 
tities,  the  pairing  identity  and  the  permutation  identity. 

The  term  Conway  theory  is  due  to  the  fart  that  in  matrix  preiteration  theories,  an 
equivalent  set  of  identities  is  given  by  the  familiar  star  sum  and  product  identities  which 
were  studied  by  Conway  {10].  See  also  (22,  5,  6]. 

(«  +  &)*  = 

(ah)'  =  1  +  a(ha)-h 


In  any  Conway  theory  we  define  _L  :=  lj  t  :  1  — *  0  and  _L„,,  :=  (_L  •  0,„ . . . ,  _L  •  0,,).  It 
follows  from  the  Conway  theory  axioms  that 

-L„„  =  (l„*0„)t, 


for  all  n,p  >  0. 

Xow  we  describe  two  implication  schemes. 

•  Functoriai.  dagger  impmgation 

/-(/>*  i„)  =  /)•<?  =t>  /*  =  p-oK 

for  all  /  :  n  — »  n  +  p,  g  :  m  — *  in  +  p  and  surjective  base  p:  n  — >  m.  (When 
the  implication  holds  for  all  morphisms  p  in  some  class  C,  we  say  that,  the  theory 
satisfies  the  functoriai  dagger  for  C.) 

•  The  GA-implication 

/»*  =  3tt  (5.</t,l,+„»t  =  /», 

for  all  /,  g  :  1  — ►  2  +  p. 

Xote  that  both  the  functoriai  dagger  implication  and  the  GA-implication  in  fact  consist 
of  infinitely  many  implications.  The  GA-implication  was  introduced  in  the  setting  of 
matrix  theories  in  [1]  to  give  a  set  of  implicational  axioms  for  the  regular  sets. 

It  is  easy  to  verify  the  following  fact. 

Proposition  2.5  [13]  IfT  is  a  preiteration  theory  which  satisfies  the  functoriai  dagger 
implication,  then  T  satisfies  the  commutative  identity.  Hence  any  Conway  theory  which 
satisfies  the  functoriai  dagger  implication  is  an  iteration  theory.  □ 

The  next  proposition  was  proved  in  [8]. 


Proposition  2.6  If  T  is  a  Conway  theory  which  satisfies  the  GA-implication,  then  T 
also  satisfies  the  functoriai  dagger  implication.  □ 


The  first,  class  of  iteration  theories  we  describe  is  a  class  of  ordered  theories. 


Definition  2.7  •  An  ordered  algebraic  theory  T  is  an  algebraic  theory  inch  that 

for  each  pair  n,p  of  nonnegative,  integer s.  the  net  T(n,p)  is  equipped  with  a  partial 
order.  The  order  on  T(n,p)  will  be  written  f  <  g  :  n  — *  p.  The  theory  operation s 
reaped  the  ordering:  if  f\  <  ft  '■  n  — *  p  and  g\  <  g-t  '■  p  — *  q  then 

f\  •  9\  <  h  ■  fti- 

Further,  if  f{  <  <7;  :  1  — *  p,  for  each  i  €  {«].  then 

{ft, ••••./«}  <  (</!»•  ••  ,9«)- 

•  A  pointed  ordered  theory  i«  an  ordered  theory  which  is  pointed:  i.e...  there  is  a 
distinguished  morphism.  ±  :  1  — «  0:  <is  usual,  we  define  ±)(,  as  _L  •(),,,  for  all  p  >  0. 
and  ±ul,  as  (J_I(I, . . . ,  JLi,,).,  for  n  9*  1.  Furthermore,  the  morphisms  X„;)  are  the 
least,  elements  inT(n,p).  Note,  that  composition  in  pointed  theories  is  left  strict: 


for  all  f  :  p  — *  q. 

•  A  pointed  ordered  theory  T  is  ^-continuous  if  each  hom-set  T(ji,p)  is  an  w- 
complete  poset  and  if  composition  is  also  u- continuous : 

(sup/..)  <7  =  snp/„  g 

n  »t 

/  •  (sup<7„)  =  snp  f  g„, 

n  ft 

for  ij- chains  (/„),  (g„),  where  /„  :  m  — *  p  and  g„  :  p  —>  q,  n  >  0,  and  for 
f  :  m  — ijj,  g  :  p  —>  q. 

(The  importance  of  certain  kinds  of  ordered  theories  for  semantics,  in  particular  the  u- 
continuous  theories,  was  emphasized  by  the  ADJ  group  (J.  Goguen,  J.  Thatcher,  E.G. 
Wagner  and  J.  Wright)  in  a  number  of  papers  [24,  17,  23].)  In  [8]  it  is  shown  that  each 
^continuous  theory  is  an  iteration  theory,  where  for  /  :  n  — >  n  +  p, 

/*  :=  sup /*  •  1,,). 

Jb 

The  powers  fk  of  /  are  defined  as  follows: 

f"  :=  1«®0„  (2) 

/*+'  :=  /</*•  0,.*1„).  (3) 

Thus,  in  cj-continuous  theories,  /t  is  the  least  solution  to  the  iteration  equation  for  /: 

$  =  /'  <«-!„>• 

Xow  we  recall  a  class  of  t  heories  first  introduced  by  Elgot.  [llj. 
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Definition  2.8  An  ideal  theory  m  an  algebraic,  theory  T  with  the  property  that  each 
morphism  1  — >  p  in  T  Li  either  a  distinguished  morphism  i,,  or  i. s  ideal.  An  ideal 
morphism  /  :  1  — *  p  is  a  morphism  with  the  property  that  for  each  g  :  p  — *  q.  the 
composite  f  ■  g  :  1  — >  q  is  not  distinguished.  An  iterative  theory  is  an  ideal  theory 
such  that  for  each  ideal  morphism  f  :  1  — ►  1  +|>.  there  is  a  unique  morphism  /*  :  1  — .  p 
such  that 

f'  =  /•  {Al, ■)• 


Proposition  2.9  (3]  If  t»  :  1  — *  0  is  any  morphism  in  an  iterative  theory  T.  there  is 
a  unique  extension  of  the  operation  *  from  the  ideal  morphisms  to  oil  morphisms  such 
that  T  becomes  an  iteration  theory  satisfying  li  *  =  tu .  The  resulting  iteration  theory  is 
denoted  (T,  It*  =  t»).  O 

An  iteration  theory  (7",  li  *  =  t«),  where  T  is  an  iterative  theory,  is  railed  a  pointed 
iterative  theory.  In  [8],  it  is  shown  that  any  pointed  iterative  theory  satisfies  the 
GA-implication. 

Tree  theories  are  examples  of  pointed  iterative  theories  as  well  as  ^-continuous  theories. 

Example  2.10  Theories  of  trees.  Let.  E  lie  a  signature.,  i.e.,  E  =  U„>„^  i"  the  union  of  the 
pairwise  disjoint  sets  52. .  Suppose  the  set  V  =  {  r, . r  ,. . . .}  is  disjoiiit,  from  E.  In  the  theory 
LTR,  a  morphism  1  — «  />  is  a  E-tree  t  :  1  — >  p.  (A  E-tree  t  :  1  — >  /i  is  a  partial  function 
whose  domain  is  a  nonempty  prefix  closed  subset  of  the  set.  [u;]*  of  finite  sequences  of  positive 

integers.  The  target  of  t  is  the  set  E  U  {ri . r,, ) .  Further,  if  it  6  domt  and  si  6  E«  then 

««  €  dom  t  iff  i  €  [»»];  also,  if  ut  6  E«  U  |r, . . . .  ..r,, } ,  then  u  is  a  leaf;  i.e.,  ui  is  not.  in  domt, 
for  any  i  >  0.  See  [12]  for  a  thorough  study  of  the  algebraic  theory  of  trees.)  We  identify  the 
varible  *i  with  tile  partial  function  defined  only  on  the  empty  word  A  with  value  :r,.  Similarly, 
we  identify  <r  €  E.  with  the  partial  function  defined  on  X  ami  the  lmgtli  one  sequences  1 ,...,« 
as  follow's:  Air  :=  <r;  iir  :=  r, ,  i  €  [»] 

If  n  yi  1,  a  morphism  n  — •  p  in  ETR  is  an  «-tupl«:  of  morphisms  1  — »  //.  The 

composite  of  t  :  1  — •  p  with  s  =  (.<q, . . .  ..sp)  :  p  — >  </  is  the  tree  obtained  by  attaching  the  tree 
•s,  to  each  leaf  of  t  labeled  n,  i  6  (p).  When  «  ^  1,  the  composite  of  t  =  (fi,...,ta)  :«—•/> 
with  s  :  p  — >  i/  is  defined  as 

i  s  :=  (t,  •*,.... t.  ■  a). 

The  distinguished  morjihism  i,  is  the  tree  r,  :  1  — »  a,  for  each  i  €  [»). 

Note  that  if  /  :  1  — *  1  +/»is  any  tree  other  than  li+p.  there  is  a  unique  tree  /*  :  1  — ip  such 
that 

/f  =  /•(/*.  M 

Thus,  E  TR  is  au  iterative  theory. 

If  X  is  a  lettiT  not  in  the  set  E,  let  Ex  denote  the  signature  obtained  by  adding  X  to  E<, .  Tie’ 
pointed  iterative  theory 

(ExTR.  l,f  =  X) 

is  an  ix-eontiimoHS  ordered  theory,  where  the  ordering  can  be  described  as  follows:  /  <  y  if  <J  can 
be  obtained  from  /  by  ri-plni-ing  smin-  occurrences  of  X  by  other  trees.  In  fact,  (Ex  TR.  li*  =  X) 
is  the  free  u;- continuous  theory  on  E  (see  (24.  17J). 
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A  tree  theory  is  a  pointed  iterative  theory 

(EjlTR.  1,'  =  -L), 

where  the  “point”  J_  is  the  new  atomic  letter  of  rank  0.  This  theory  is  usually  written 
TR,  for  short. 

We  will  occasionally  make  use  of  the  suhiteration  theory  Etr  of  Ex  TR.  which  consists 
of  the  regular  trees.  Recall  that  a  tree  t  :  1  — *  p  is  regular  if  it  has  a  finite  number 
of  subtrees.  When  t  :  n  — ►  p,  for  some  n  £  1,  t  is  regular  if  the  components  i„  •  t  are 
Tegular,  for  all «  €  |n].  According  to  the  definition  in  |3,  4]  that  Etr  can  be  characterized 
as  the  iteration  theory  freely  generated  by  E. 

We  mention  two  other  important  classes  of  ^-continuous  theories. 

Example  2.11  Tlic  theory  R  e  lx  has  as  morphisms  it  — *  />  all  relations 

A  x  (»)  — •  Ax  (/<]. 

Composition  in  tin;  theory  is  composition  of  relations.  Identifying  A  with  A  X  [1].  tint  distin¬ 
guished  morphism  :  1  — '  /*,  is  the  funetiou,  considered  as  a  relation. 

A  -  Ax  |») 

a  t-«  («.  r). 

The  tripling  /  :=  of  the  morphisi ns  /,  :  1  — *  //  is  the  relation 

A  X  [«]  — »  Ax  [/>] 

(«..)  /  (a'.j)  «  a  fi  (a'.j). 

With  the  standard  ordering  of  relations,  for  any  relation  /  :  A  x  [«]  — >  A  x  [n  +  />],  there  is  a 
least  relation  /’  :  A  x  [«]  — •  A  x  [/i]  which  satisfies 

/*  =  /•</’.  I,.)- 

The  theory  Rel.i  is  also  an  u;-eont.iim<ms  theory.  The  mor|)hism  1,,,  in  Rel.i  is  the  empty 
relation  «  — •  jj. 

Tin;  tln'ory  Pfn.i  is  the  suht.heory  of  Rel.i  whose  morphistus  «  — >  /t  an:  the:  partial  functions 
A  x  [n]  — •  A  x  (//).  The  distinguished  luorphisins  and  the  theory  anil  iteration  operations  are 
t.lie  same  as  those  in  Rel/>. 

The  notion  of  an  iteration  term  is  defined  in  the  expected  way  as  a  formal  expression 
which  denotes  a  morphism  in  a  (pre)iteration  theory.  These  terms  are  constructed  from 
an  infinite  set  of  variables  for  morphisms  n  — *  p,  for  each  n,p  >  0,  constants  for  each 
of  the  distinguished  morphisms,  and  the  operation  symbols  for  composition,  tripling  and 
dagger.  (Source  pairing  and  separated  sum  are  understood  as  abbreviations.) 

For  our  purposes,  an  implication  or  quasi-identity  is  an  expression  of  the  form 

*i  =  tj  A  ...  A  .s„  =  t„  =>  s„+i  =  t„+i , 

where  n  >  0  and  s;,t;  are  iteration  terms.  Note  that  when  n  =  0,  an  implication  is  an 
equation.  Each  instance  of  the  functorial  dagger  or  GA -implication  is  an  implication.  We 


understand  an  implication  to  be  satisfied  by,  or  true  or  valid  in  a  preiteration  theory 
T  if  the  implication  is  true  for  any  interpretation  of  the  variables  as  inorphisms  in  T  with 
the  appropriate  source  and  target. 

If  K  is  any  class  of  preiteration  theories,  let  Imp(K)  denote  the  collection  of  all  impli¬ 
cations  valid  in  each  theory  in  K.  For  any  set  I  of  implications,  let  Mod(I)  denote  all 
preiteration  theories  in  which  each  implication  in  /  is  true. 

Suppose  that  K  is  a  class  of  iteration  theories. 

Definition  2.12  The  quasi-variety  generated  by  K,  in  symbols  Qv(K ),  is  the  class 
Mod( Imp(  A')),  the  class  of  all  iteration  theories  which  satisfy  all  implications  valid  in  all 
theories  in  K.  K  is  a  quasi-variety  if  K  =  Qv(K). 

X ote  that  if  K  C  A',  then  Qv(K)  C  Qv(K').  If  I  is  some  set  of  implications,  then  the 
class  of  all  models  of  I  is  a  quasi-variety. 

3  Some  Quasi- Varieties  of  Iteration  Theories 

Aside  from  IT,  the  variety  of  all  iteration  theories,  we  will  be  considering  the  following 
quasi-varieties. 

•  Vi,  the  quasi-variety  generated  by  the  class  of  tree  theories. 

•  Vu,  the  quasi- variety  generated  by  the  class  of  theories 

(ETR,  1,»  =f  „). 

•  PI,  the  quasi-variety  generated  by  all  pointed  iterative  theories. 

•  PFN,  the  quasi-variety  generated  by  the  theories  Pfn.t. 

•  REL,  the  quasi- variety  generated  by  the  t  heories  Rel 

•  Q,  the  quasi-variety  generated  by  the  class  of  all  ^-continuous  theories. 

•  flu,  the  quasi-variety  generated  by  all  ^-continuous  theories  with  a  unique  mor¬ 
phism  1  — ►  0. 

•  MAT,  the  quasi-variety  generated  by  all  matrix  iteration  theories  [8,  5]. 

•  GA,  the  collection  of  Conway  t  heories  which  satisfy  the  GA-i replication. 

•  FD,  the  collection  of  Conway  t  heories  which  satisfy  the  functorial  dagger  implica¬ 
tion. 

•  Manes  (20]  has  called  a  morphism  h  :  n  — ►  p  in  a  preiteration  theory  pure  if 
h  •  1,,*  =  1„*.  Note  that-  any  base  morphism  is  pure.  Let  FDt,  denote  the  collection 
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Figure  1:  Tire  Quasi- Variety  Poset 

of  Conway  theories  which  satisfy  the  fnnctorial  dagger  implication  for  the  class  of 
all  pure  morphisms,  namely,  the  implication 

h  •  1,>‘  =  1«*  A  /  •  (A  tfr  1,,)  =  h  ■  g  =*  f'  =  hg\ 

for  all  /  :  n  — *  n  +  p,  g  :  m  — >  in  +p,  and  A  :  »  — >  in. 

•  Lastly,  we  let-  FD„  denote  the  quasi-variety  of  all  Conway  theories  which  satisfy  the 
funct-orial  dagger  implication  for  the  class  of  all  morphisms. 


4  The  Results 


We  will  prove  that  if  the  quasi-varieties  are  ordered  by  set  inclusion,  they  form  a  poset- 
whose  structure  is  indicated  in  Figure  1. 

Each  of  the  inclusions  is  strict.  If  there  is  no  chain  of  inclusions  from  one  quasi- variety  to 
another,  the  two  are  incomparable  with  respect  to  inclusion.  Thus,  we  have  a  complete 
description  of  the  poset  of  these  classes. 

Further,  the  variety  of  iteration  theories  generated  by  V, ,  and  all  of  the  quasi-varieties 


above  it,  is  IT.  The  variety  generated  by  PFN,  REL ,  ft«,  FD„,  and  MAT  is  the  variety 
of  all  iteration  theories  with  a  unique  morphism  1  — *  0. 

In  addition,  we  will  show  that  there  is  an  infinite  chain  of  quasi- varieties 

FDC  ...  C  FD:iC  FD-i  c  FD,  =  IT 

between  FD  and  IT.  FD„  is  the  quasi-variety  of  all  iteration  theories  which  satisfy  the 
functorial  dagger  implication  for  the  class  of  i,ase  morphisms  F  — »  1,  for  1  <k  <n. 


5  Inclusions 

It.  is  clear  that  the  following  inclusions  hold: 

V,  C  V,  C  PI 

FD„  C  FD,,  C  FD 

PFA'  C  REL  C  n„  C  ft. 

and  each  class  is  contained  in  the  class  IT  of  all  iteration  theories.  The  inclusions 

PI  C  CIA  C  FD 

n«  C  FD„ 

REL  C  MAT 

are  proved  in  [8],  and  the  inclusion 

V,  c  n 

is  known  from  [24].  We  will  show  now  that  each  of  the  inclusions  indicated  in  Figure  1, 
page  11,  is  proper,  and  that  two  quasi-varieties  are  incomparable  unless  there  is  a  chain 
of  inclusions  from  one  to  the  other.  It  was  proved  in  [15]  that  FD  /  IT.  We  will  give 
two  new  independent  arguments  for  this  fact  below. 

The  organization  of  the  argument  follows  the  shape  of  Figure  1.  We  proceed  first  up  the 
right  side,  and  continue  to  the  left. 


5.1  V,  C  Vg 

We  need  show  only  that  Vt  yt  V;/.  Consider  the  following  implication. 

fg  =  It*  =>  /'  =  lif,  all  /:  1  —  1,  g  :  1  —  0.  (4) 

This  implication  is  valid  in  all  tree  theories,  since  in  the  tree  theory 

(SiTR,  1,'  =  X), 

the  tree  1,  *  is  the  atomic  tree  X.  Thus,  if  /  •  g  =  X,  then  either  /  =  1 ,  (and  17  =  X)  or 
/  =  X  •  0i.  However,  if  H  contains  a  letter  /  6  S,  and  a  letter  g  in  S«,  the  implication 
fails  in  the  theory 


(SXTR,  !,»«/  a). 
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5.2  VgCPI 

The  inclusion  Vy  C  PI  holds  since  every  theory  (DTR,  It*  =  t«)  is  a  pointed  iterative 
theory.  Also  the  following  implication  is  valid  in  these  theories: 

f-f  =  99=>f  =  9,  f>9-  1  — *  1-  (5) 

But  we  show  that  (5)  is  not  valid  in  an  iterative  theory  TTF.v  of  timed  terminal  functions 
on  X  [11].  Indeed,  writing  N  for  the  set  of  nonnegative  integers,  let  X  =  {n,ft}  and  let 
f,g:Xx  N  — ►  .Y  x  N  be  the  timed  terminal  functions  defined  by 

(<i,n)/  :=  (6,n  +  l) 

(b,n)f  :=  (n.n+l) 

(x,n)g  (a\n  +  1),  x€{n,6|. 

Then  (*,n)/a  =  (r,n)g*  =  (r,n  +  2).  hut  f  #  g. 


5.3  PIC  GA 

It.  was  shown  in  [8]  that  PI  C  GA.  In  order  to  show  the  inclusion  is  strict,  we  will  show 
that  the  following  implication  is  valid  in  PI. 

P-9-  *i  =>  P-*)  =  li,  (6) 

where  p  ■  1  — *  2,  2:2— »  1  and  where  -  :=  (Oi  0  li.li  *  Oi)  is  the  nontrivial  base 
permutation  2  — >2.  Indeed,  in  any  ideal  theory,  if  p  :  1  — *  2  and  if  p  ■  q  =  li  for  some 
q  :  2  — *  1,  then  either  p  =  li  £0i  nr  p  —  0 1  li.  Hence  /  :=  (p,  p  ■  s)  is  either  1*  or  it. 
In  either  case  if  —  1*. 

If  S  is  any  semiring,  Mat.s  is  the  theory  whose  morphisms  n  — >  p  are  the  n  by  p  matrices 
with  entries  in  5:  matrix  multiplication  is  the  theory  composition.  For  other  details,  see 
[5,  8].  When  S  is  the  semiring  of  regular  subsets  of  A*,  we  denote  the  corresponding 
matrix  theory  by  Regt .  Xow  suppose  that  T  ~  Reg.  t ,  and  that  p  and  q  are  the  following 
matrices: 


P  '■=  l1  -r) 


where  x  is  some  nonempty  regular  subset  of  .4*.  Then  p-q  —  lj.  However  if  /  =  (p,  p-~), 


then 

1  r  1 

/ 

l,  ,] 

// 

- 

[I+*’ 

#  1 

La. 

It  is  known  from  [1]  that  Reg  ,»  satisfies  the  GA-implication.  Hence,  Reg  \  is  in  GA-  PI. 


Remark  5.1  We  note  here  that,  the  collection  of  all  pointed  iterative  theories  does  not.  form  a 
<|iinKi- variety  since  this  collection  is  not.  closet!  untltT  binary  products.  For  the  saintt  reason,  the 
collection  of  trite  thttoritts  or  theories  (Ej.TR.  1,  *  =  l„ )  is  not  a  ipiasi-variety. 


5.4  GA  C  FD 

It  was  shown  in  [8]  that-  GA  C  FD.  In  order  to  show  that  the  inclusion  is  strict,  we  apply 
the  following  extension  of  the  Zero  Congruence  Lemma  [8]. 

Lemma  5.2  If  8  is  a  zero  congruence,  on  the  free  iteration  theory  Etr,  then  the  theory 
Etr /ft  satisfies  the  functorial  dagger  implication. 

We  give  a  proof  of  this  fact,  together  with  a  concrete  description  of  8,  in  the  Appendix. 

Xow  define  E  as  the  signature  hating  only  two  symbols  f.g  of  rank  2.  Let  8  be  the  zero 
congruence  generated  by 

/'*  8  3”. 

In  the  Appendix  (Theorem  8.2)  it  is  shown  that  two  regular  trees  1  — *  p  are  related 
by  8  if  one  can  be  obtained  from  the  other  by  replacing  some  subtrees  of  the  form  /tt 
by  3W,  and  some  subtrees  jtt  by  /tt.  The  theory  Etr /8  satisfies  the  functorial  dagger 
implication,  by  the  lemma,  but  does  not  satisfy  the  GA-implication.  Indeed,  if 

h  :=  g  -  </*.li>, 

then  it  is  not  the  case  that  /)'  ft  /**,  since  ft*  has  no  subtrees  of  the  form  /tt  or  3^. 


5.5  V g  C  FDp 

First,  we  prove  the  following  lemma. 

Lemma  5.3  Suppose,  that 

T  :=  (ETR,  li*  =  f«). 

Then  T  6  JFDp. 

We  write  _L  for  li  *,  as  usual,  rather  than  t «.  In  [4}  it  was  shown  that  for  any  /  :  n  — *  n+p 
in  T,  /*  is  given  by  a  metric  limit: 

/'  =  lim  }k  ■  (-L„«  0  1,,), 

It - *fX- 

where  fk  was  defined  in  (2)  and  (3)  above.  Xow.  suppose  that-  h  :  n  — >  m  and  that. 
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where  g  :  m  — *  m  4-  p.  Then  it  follows  that  for  each  k  >  1, 

/*  (&*1„)  =  h-gk. 

Hence,  if  h  is  pure, 

fk  ■  (±„0  *  1„)  =  /*  •  (h  •  -L,,,„  ®  1„) 

—  /fc  •  (fc  0  Iji)  ■  (-1-mo  &  1(>) 

=  h  •  Q  •  (JL„,0  0  1,»). 

The  result  follows  from  the  fact  that 

lim  h-gk  ■  (J_,„„  *  1(1)  =  h  •  (lim  gk  ■  (-L,„„  *  1,,)) 

=  hg1.  □ 

Corollary  5.4  Vu  C  FD,,.  Q 

To  show  that  the  inclusion  Vg  C  FD,,  is  proper,  note  that  the  theory  TTFy  of  timed 
terminal  functions  in  section  5.2  is  in  PFS  as  well  as  in  P7,  and  hence  in  FD,,.  It  was 
shown  in  that  section  that  TTF  y  is  not  in  V,,. 

5.6  FDp  C  FD 

We  now  find  an  iteration  theory  which  satisfies  the  fnnctorial  dagger  implication  for  all 
base  morphisms  hut  not  for  all  pure  niorphisms.  Let  S  be  a  signature  which  has  just 
two  symbols  rr,  r  in  Si ,  and  which  is  empty  otherwise.  We  define  an  iteration  theory 
congruence  ~  on  Sx  TR  as  follows.  For  any  trees  /,  g  :  1  — »  p,  f  ~  g  iff 

•  both  trees  have  a  leaf  labeled  by  some  variable  r;,  i  €  [p],  and  the  set  of  all  labels 
of  all  of  the  vertices  of  /  are  the  same  as  those  of  g,  or 

•  neither  has  leaf  labeled  by  a  variable,  and  both  symbols  it,  t  occur  infinitely  often 
in  both  /  and  g,  or 

•  neither  tree  has  a  leaf  labeled  by  a  variable,  and  neither  tree  has  both  symbols  it,  t 
occurring  infinitely  often  as  vertex  labels. 

Of  course,  if  f,g  :  n  — ►  p,  where  n  >  1,  then  /  ~  g  iff  i„  ■  /  ~  i„  ■  g,  for  all  i  €  («].  Let 
T  denote  the  quotient  theory  Si  TR/  Then  the  morphisms  1  — >  0  in  T  are  the  two 
congruence  classes 

(X]  and  [(it  ■  r)*]. 

When  p  >  1,  the  morphisms  1  —>  p  in  T  are  the  4 p  +  2  equivalence  classes 
[±  ■  0,,],  [(it  •  r)’  •  0,,],  [i,,],  [it  •  I,,],  [r  •  i,,],  [it  •  r  • »,,] 


I 
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for  i  €  Ip].  It  is  easy  to  check  that  T  satisfies  the  functorial  dagger  implication  for  any 
base  p  with  target  1.  It  follows  from  [16],  that  T  satisfies  the  functorial  dagger  implication 
for  all  base  morphisms.  Since 


[<r] :  1  — >  1  is  pure.  Also, 


But  Jr']  =  [X],  so  that 


Hence  T  is  in  FD  -  FD,,. 


Wl-L]  =  W, 

[<r  •  r]  •  |<r]  =  [<r]  •  [r], 

[(ff-r)t]  [X] 

=  W-Ir*]- 


5.7  V,  C  Q 


Again,  we  need  show  only  that.  V',  ^  fl.  Consider  the  implication 

/*  =  !,*  =*/■/  =  /.  all/:  1—1.  (7) 

This  implication  is  clearly  valid  in  all  tree  theories,  since  in  Sj.TR,  if  /  :  1  — *  1  and 
/*  =  X,  then  either  /  =  li  or  /  =  X  ■  (Ji . 

We  show  that,  if  .4  is  a  set.  with  at  least  2  elements,  the  imp'  .  at ion  does  not  hold  in 
Pfn,i.  Indeed,  let  /  be  a  nontrivial  permutation  of  .4  of  order  two.  Then,  since  there  is 
a  unique  morphism  1  — *  0  in  Pfn,t,  /*  =  lt  *.  But.  f  ■  f  ^  f. 

5.8  0.  C  FDp 

Using  an  argument,  just,  like  that  given  above  for  Lemma  5.3,  replacing  limj  with  supt, 
it  can  be  shown  that  fl  C  FD,,. 

Xow  we  show  that-  the  two  quasi-varieties  are  distinct.  The  implication 

/  -g  =  ±  =>  /’  =  _L,  all  /  :  1  — •  1,  g  :  1  — ►  0,  (8) 

holds  in  fl.  Indeed,  in  any  ^-continuous  theory,  if  f  •  g  =  ±, 

L  <  /•  X 

<  /•  9 
=  1. 

Hence  f  ■  ±  =  ±,  which  in  turn  implies  /"  •  X  =  X,  all  n  >  1.  Thus  /*  =  sup,,  /’*  •  X  =  X. 
However,  the  implication  (8)  fails  in  the  theory 

T  :=  (ETR,  1,*  =  to) 

when  E>  contains  the  letter  <r  say,  and  EH  contains  the  letter  f>  and  t.a  :=  rr  ■  6.  But 
T  €  FD,,,  by  Corollary  5.4.  Thus  T  6  FD,,  —  fl. 
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5.9  ftoCfi 

This  follows  immediately  from  the  fart,  that  there  are  theories  in  fl  with  more  than  one 
morphism  1  — *  0,  e.g.  tree  theories. 

5.10  FD,  C  FDP 

Since  it  is  dear  that-  FD*  C  FD,,,  we  show  that,  there  is  a  t  heory  in  FD,,  —  FD*.  Indeed, 
choose  any  theory  T  in  Vv  with  at  least  two  morphisms  1  — >  0.  Then  T  cannot  he  in  FD*, 
since  any  such  theory  has  a  unique  morphism  1  — *  0  (for  a  proof,  see  [8],  f  '  tuple.) 


5.11  PEN C REL 

Since  each  partial  function  .4  x  [n]  — >  A  x  [p]  is  a  relation,  PFS  C  REL.  We  show  the 
inclusion  is  strict. 

For  any  morphism  p  :  1  — *  2  in  a  preiteration  theory,  define  the  two  morphisms  PtPf  : 
1  — ►  1  as  follows: 


Pr  ■=  p-(lisSX) 
Pf  ■■=  p-(-Laii). 


The  following  implication  is  valid  in  PFN: 


p  - (li.li)  =  li  =*•  pr  •  Pf  =  -Li.i-  (9) 

Indeed,  if  p  :  A  — »  .4  x  [2]  is  a  partial  function,  then  if  p  •  (lt.lt)  =  li,  then  for  each 
a  €  A,  either  ap  =  (a,  1)  or  op  =  («,2).  If  np  =  (n,l)  then  apF  is  undefined,  apr  is 
defined,  and  apr  =  o.  If  ap  =  (<J,2),  then  apj  is  undefined  and  apF  =  a.  In  either  case, 
apr  •  Pf  is  undefined.  Thus,  pr  ■  pf  =  J-t.i  • 

To  see  that  this  implication  (9)  is  not.  valid  in  REL ,  let  A  :=  {.?•}  and  suppose  that, 
p  :  1  — *  2  is  the  relation  satisfying  xp  =  {(.r,  1),  (.r,  2)}.  Then  p  -  (li ,  li )  =  li  =  pr  ■  Pf- 

5.12  REL  C  9.o 

Xote  that-  the  following  implication  is  valid  in  REL. 

p  -(li,l,)  =  l,  A  pr  ■  pf  =  4-iti 

=*  P'  (P&P)  =P'  (!i  li)>  (10) 

where  p  :  1  — *  2.  The  morphisms  Pt,Pf  :  1  — >  1  are  defined  above  in  section  5.11. 
Indeed,  if  the  equation  p  •  (lj ,  1) )  =  lj  holds  in  Rel , ,  then  for  each  a  €  A,  a  p  (a,  1)  or 
a  p  (a,  2),  or  both.  The  second  equation  guarantees  that,  at  most  one  of  these  conditions 
can  hold,  so  that,  in  fact,  p  is  a  total  function  A  — *  A  x  [2)  which  takes  a  6  A  to 


1 


either  (a,  1)  or  (o,2).  It  follows  that  if  the  hypotheses  of  (10)  hold  in  Rel.i,  so  does  the 
conclusion. 

But  let  D  be  the  three  element  chain  hot  <  a  <  TOP.  Consider  the  least  subtheory  T  of 
Pown,  the  theory  of  all  functions  on  D,  containing  the  constant  function  ROT  and  the 
meet  function  x  Ay.  A  morphism  /  :  1  — ►  p  in  T  is  either  the  constant  function  D’‘  — *  D 
with  value  ROT  or  f(x i,...,x|()  =  A{x* :  ‘  €  /},  for  some  nonempty  I  C  (p).  Thus,  the 
unique  morphism  J_ :  1  — *  0  in  T  has  the  value  rot.  It  follows  that  T  is  a  subiteration 
theory  of  the  theory  of  all  continuous  functions  Dv  — ♦  D“.  Hence  T  is  in  Q,  and 

/'  := 

II 

for  /  :  1  — *  1  +  p.  But  T  does  not  satisfy  the  implication  (10).  Indeed,  let-  p(xi,x-j)  = 
xi  A  x-j.  Then 

p(r,x)  =  x 
Pt  ■  Pf( x)  =  r  A  ROT 


However, 


=  P(P{*-'J),P(,  "•»’)) 
=  x  A  y  A  «  A  v 
*  p(  li«03»ll) 
=  p(x,  v)  =  t  A  c. 


5.13  n0  c  FD, 


In  each  theory  in  fin,  every  morphism  is  pure.  Since  ft  C  FD,,,  it  follows  that  fi0  C  FDS. 
We  will  use  the  following  implication,  which  holds  in  flu: 


/  -  <_LIfl,l,)  =  1,  A/(l„l1)  =  l1 


where  /  :  1  — >2.  Indeed,  note  that  if  the  hypotheses  of  the  implication  hold  for  /,  then 
/”  •  (l-i,,.,  It)  =  li,  for  all  n  >  1. 

Xow  consider  the  three  element  idempotent  star  semiring  S»  =  {0,1,1*},  with  the  star 
defined  by 


*•  =  {!• 


r  =0 
otherwise. 


This  semiring  is  w-complete,  when  any  infinite  sum  with  infinitely  many  nonzero  sum¬ 
mands  is  defined  to  be  1*.  It  follows  that  the  matrix  theory  Mats*  is  an  iteration  theory 
(see  [8]).  The  iteration  operation  applied  to  any  n  by  n  +  p  matrix  /  =  [o  6)  (where  a 
is  n  by  n  and  6  is  n  by  p),  yields 


where  n*  = 


/’  :=  n‘6, 
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Xow  if  T  =  Mats  and  if  5  is  any  ij-compiete  semiring,  then  T  is  in  FD„  (5,  8).  But  in 
Mat,„„  let  /  :=  |1  1).  Then 

=  [1  1)[J] 

=  /<!., 1.) 

■  11  “[!] 

=  l 

but  /l  =  1*.  Hence  T  €  FD„  —  flu. 

5.14  REL  C  MAT 

It  is  known  from  (8j  that  REL  C  MAT.  The  theory  T  =  Mats,,  in  the  previous  section 
does  not.  belong  to  flu,  and  hence  does  not  belong  to  REL. 


5.15  MAT  C  IT 

This  follows  immediately  from  the  fact  that  all  theories  in  MAT  have  a  unique  morphism 

1  —  0. 

6  Incomparable  Quasi- Varieties 

It  is  obvious  that  V,  —  FD„  and  V,  —  MAT  are  nonempty,  since  all  theories  in  FD„  and 
MAT  have  a  unique  morphism  1—0.  Thus,  by  inspecting  Figure  1,  page  11,  it  will  be 
seen  that-  all  of  the  incomparability  results  will  follow  once  we  can  prove  that,  each  of  the 
following  classes  is  nonempty: 

PFN-GA,  PI-FD,,,  FD*-n,  Q,,  -  MAT,  MAT  -  FDj.  (11) 

Indeed,  for  example,  if  PFA'  C  .Y  and  T  C  GA,  for  some  quasi- varieties  X,Y ,  then  it 
follows  from  the  fact.  that.  PFA'  —  G'A  is  nonempty  that  .Y  —  Y  /  0. 

We  now  proceed  to  prove  the  statements  in  (11). 


6.1  PFN  -  GA  0 

Let.  A  :=  {a,  A)  and  let.  f,g  :  A  — ►  A  x  (3]  be  the  following  (total)  functions. 


af  :=  (h,  1) 


396 


bf  :=  (b,  3) 
ag  :=  (fc.3) 
bg  :=  (fl, 2) 

Then 

n/**  =  6/**  =  ng**  =  6^**  =  (6,1). 

Hence  /**  =  g,f  Ls  the  total  function  .4  — *  .4  with  value  6.  Xow  if  the  GA-im plication 
were  tnie  in  Pfn,*, 

/»'  =  A», 

where  h:=  {  ■  (</*,  1?).  But  note  that 

ah  =  hg * 

=  («•!). 

so  that  6*  is  not  defined  on  a. 

6.2  PI  —  FDP  /  0 

Let  E  consist  of  two  letters  {</,  A}  of  rank  1,  and  let  T  be  the  quotient  theory  of  the  free 
iteration  theory  Xtr  with  respect  to  the  smallest  iteration  theory  congruence  8  such  that 

g-  h  —  g  (mod  8),  g  ■  X  =  _L  (mod  8).  jt  s  JL  (mod  8). 

The  morphisms  1  — ►  1  in  T  are  the  congruence  classes  of  the  following  trees: 

•  W  -g'1  hi  Ox,  0 

•  At 

•  A"  •  1  •  0, 

•  A"  •  g'<. 

The  theory  T  is  ideal,  and  for  any  ideal  r  :  1  — »  1,  the  fixed  point  equation  x  =  r  •  x  has 
a  unique  solution.  Indeed,  consider  the  equation  .r  =  A”  •  g"‘  ■  x,  where  .*  :  1  — *  0.  If 
m  ±  0,  the  unique  solution  is  A"  •  _L.  When  in  =  0  but  n  ^  0,  the  unique  solution  is  At. 
Thus  T  is  in  PI. 

But  T  is  not  in  FD,,.  Indeed, 


1,  <?  =  g  ■  A  (mod  8), 


and  g  is  pure,  but 


lit  =  J_  ^  g  -At  (mod  A). 
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6.3  FD„  -  Q  ±  0 

This  fart  follows  immediately  from  the  fart  that  FD„  -  fl0  /  0,  proved  above  in  Section 
5.13. 


6.4  n0  -  MAT  ±  0 

The  example  in  Section  5.13  shows  that  there  is  some  t  heory  in  MAT-  Q„.  We  now  show 
that  there  is  a  t  heory  in  f!u  -  MAT. 

Let  T  be  the  least,  subiteration  theory  of  the  iteration  theory  of  all  order  preserving 
functions  on  the  3  element,  chain  ROT  <  n  <  top  containing  the  constant  function  bot 
and  the  function 


We  note  that 


f  9 

if  X  =  ROT 

/(*,!») 

:=  7  ROT 

if  1J  =  ROT 

[  TOP 

otherwise. 

/*(*) 

=  /(x.x) 

f  ROT 

if  X  =  ROT 

~  \  TOP 

otherwise 

/tt 

=  BOT. 

Since  T  has  a  unique  morphism  1  — *  0,  T  is  in  flu- 
The  following  implication  is  valid  in  MAT.  For  all  f,g  :  1  — »  2,  if 
/•(l,.Xr,>  =  g  ■  (li,Xi,i)  and 

/  •  (Xi,i.  li>  =  9  ■  (J-i.r.li) 

then 

/  =  0- 

Indeed,  write  /  =  |o,h],  g  =  (c.rfj.  Then  the  first  equation  says  a  =  c  and  the  second 

says  h  as  d. 

Xow  in  the  above  theory  T,  let  g  =  0i  -ft  li :  i.e.,  g(r.  y) y.  Then 

/•<-*-  i.i,  It)  =  /(bot,*) 

=  r 

=  g(n  or,x): 

/•<  1.,-Ll.,)  *•  /(X.  BOT) 

=  BOT 
=  <?(x,BOT). 

But-  /  #  3,  since,  e.g.,  /(n, o)  =  top  and  g(a,< i)  =  ft. 


1 


r 
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6.5  MAT-  FDZ  yt  0 

We  will  construct  a  matrix  theory  T  over  a  semiring  which  is  a  quotient  of  the  semiring 
of  regular  subsets  of  £*,  where  £  =  {<i,A,c,rf}.  The  congruence  is  the  least  ‘-semiring 
congruence  which  identifies  the  sets  {a,b}  and  {c,  d). 

Recall,  that  for  any  language  L  C  £*,  the  set  of  factors  of  L  is  defined  as  follows. 
facL  :=  {«  €  £* :  »»•’«*  6  L ,  some  »/,».'  6  £*}. 

An  n-state  nondeterministic  finite  automaton  (nfa)  over  £  is  a  triple  M  =  (or,  A,  7), 
where  A  is  an  n  x  n  matrix  whose  entries  are  subsets  of  £,  and  where  or  :  1  — *  n  and 
f)  :  n  — 1 1  are  0-1  matrices.  The  behavior  of  (or,  .4,7)  is  the  regular  language 

|A/|  :=  0.4*7. 

The  states  of  M  are  the  integers  in  [»]:  there  is  an  edge  (i,j)  with  source  i  and  target  j 
in  M  if  Ai.j  is  nonempty,  in  which  case  a  label  of  such  an  edge  is  any  letter  in  the  set  Ai.j. 
(Equivalently,  one  might  say  there  is  one  edge  from  i  to  j  for  each  letter  in  Ai.j.)  For 
states  j,j',  a  path  from  j  to  j'  is  a  sequence  of  states  j  =  »'n, ,  «„,  =  j',  such  that 
(ik ,  U+i )  is  an  edge,  for  each  k  <  m:  a  label  of  such  a  path  is  any  word  ri . . .  x,„  6  £"' 
such  that  Tic  €  for  0  <  k  <  m.  The  initial  states  of  A/  are  those  states  i  such 

that  or,.,-  =  1:  the  final  states  are  those  states  j  such  that  7^  =  1.  The  accessible 
states  are  those  on  paths  whose  source  is  an  initial  state;  the  coaccessible  states  are 
those  on  paths  whose  target,  is  a  final  state. 

It  may  easily  be  shown  that,  the  behavior  of  (or,  .4, 7)  is  the  set  of  all  words  which  label 
paths  from  an  initial  state  to  a  final  state,  since  .4*  =  (Jl>0  -4fc. 

Thus,  if  L  is  the  behavior  of  some  nfa  M,  v  €  fucL  iff  v  is  a  label  of  some  path  in  M 
whose  source  is  an  accessible  state  and  whose  target  is  a  coaccessible  state. 

For  a  positive  integer  K,  say  that,  a  language  is  A'-bounded  if  for  all  words  u,  and  all 
nonnegative  integers  m, 

(u(a  +  b))"‘  C  facL  =>  m  <  A\  and  (12) 

(«(c4-  d))'“  C  fac.L  =>  m  <  A*.  (13) 

L  is  bounded  if  L  is  A'-bounded,  for  some  integer  A'.  Note  that  for  any  L,u,n,m,  if 

(w(c+ rf))”+mC  facL 

then 

(«(c  +  </))“  C  facL. 


Example  6.1  The  language 
ia  nut  hounded,  and 


(«  +  l>  +  i:  +  (/)' 


in  2-lnmnded. 


(«+M\:)‘(l  +  b<r) 


□ 
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Let  M  =  (ft,  A , 7)  find  A/'  =  («,  B, 7)  be  two  n -state  finite  automata,  with  the  same 
initial  and  final  states.  We  write  M  ~  M’  if  there  is  an  edge  (i,j)  of  A/  with  Aij  = 
{a,4}  U  Z  and  B; j  =  {c,rf}  or  if  At j  =  {c,rf}  U  Z  and  B,j  =  {0,6}.  (Here,  in  the  first 
case  Z  is  some  subset  of  {o,  rf}  and  in  the  second,  Z  is  a  subset  of  {«,  4}.)  Thus,  A/  ~  A/' 
if  it  is  possible  to  obtain  A/'  by  changing  the  set  of  labels  of  one  edge  of  A/  by  replacing 
{a,4}  by  {c,  rf}  or  vice  versa.  Xote  that  the  set  of  accessible  or  coarcessible  states  in  A/ 
are  exactly  those  in  A/'. 

Theorem  6.2  Suppose  that  M  =  (ft,  .4, 7)  and  M'  =  (ft,  B,  7)  ore  automata  with  M  ~ 
A/'.  If  L  =  |A/|  is  K-bounded,  then  B  =  ( A/'|  is  2A'-4ounrferf. 

Proof.  Let  e  =  (i,  j)  be  the  edge  in  .1/  whose  label  is  changed  in  order  to  obtain  A/'. 
Suppose  that  L  is  A’-hounded,  and  in  order  to  produce  a  contradiction,  suppose  that,  the 
implication 

VuVrn  [(u(c  +  d))"‘  C  facB  =>  in  <  2A'j. 

is  false.  Then  there  is  a  word  u  and  some  integer  in  >  2 A'  such  that 

(u(c  +  d))"‘  C  facB. 

As  noted  above,  it.  then  follows  that 

(w(e +  rf))*k  C  faci?  and 
(v(e  +  rf))^  C  facB. 

Since  L  is  A'-bounded,  there  is  some  word  «’  in  (u(c  +  rf))''  with  the  property  that 
there  is  no  path  labeled  w  in  A/  whose  source  is  an  accessible  state  and  whose  target  is 
coaccessihle.  But  there  is  such  a  path  in  M',  so  this  path  must  use  the  edge  e.  whose  label 
was  changed.  Similarly,  there  is  a  path  in  M'  whose  source  is  accessible,  whose  target  is 
coaccessihle,  and  whose  label  is  ww,  since  ww  €  («(c+  d))2h .  Thus,  this  second  path 
must  use  the  edge  e  twice,  showing  that  the  edge  e  lies  on  a  cycle  all  of  whose  vertices 
are  both  accessible  and  coaccessihle.  If  v  :  j  —*  i  is  a  label  of  the  rest,  of  the  cycle,  then  v 
is  a  label  of  a  path  j  — ►  i  in  both  A/  and  M'.  and  if  a,  4  €  .4;  j,  then  (i’(n  +  4))m  C  fac  L, 
for  all  m,  contradicting  the  hypothesis.  (Similarly  if  c,  rf  €  -4;.j,  then  (t>(c  +  rf))m  C  fac  L. 
all  m.) 

The  same  argument  shows  that,  the  implication 

Vv  Vi n  [(»(«+  4))m  C  fac  B  =>  in  <  2A  ] 

holds  as  well.  Thus,  B  is  2A'-bounded.  □ 

For  languages  L,L',  say  L  ~  L'  if  there  are  automata  M.M'  with  M  ~  A/',  where  L  is 
the  behavior  of  M  and  V  is  the  behavior  of  A/'. 

Definition  6.3  For  language*  L,  B.  *ay  L  as  B  if  either  L  —  R  or  there  i.i  a  finite 
sequence  ,  L„  of  language*  such  that  L  =  L\.  R  =  L„  and  L;  ~  L;+ 1,  for 

i  <  n. 
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We  omit-  the  proof  of  the  following  theorem,  which  makes  use  of  some  of  the  const  ructions 
in  Chapter  9,  Section  4  of  [8]. 

Theorem  6.4  The  relation  «  is  the.  least  congruence,  relation  on  the  * -semiring  of  reg¬ 
ular  subsets  of  S*  Much  that  {a,  ft}  as  {c,  if} 

Corollary  6.5  Suppose  that  L  as  R  and  L  is  bounded.  Then  R  is  bounded. 


Proof.  This  follows  immediately  from  Theorem  6.2.  Q 

Xow  let  T  =  Mats,  where  S  is  the  quotient  of  the  regular  subsets  of  E*  by  as.  Define 
A  :  2  — *  2  as  the  matrix 

(7  6 

c  d 

Then,  if  p  :  2  — *  1  is  the  base  morphism,  we  have 

A  •  p  —  p  ■  ({<7,  ft.  c,  d}) 

in  T,  since  {(t,  ft}  as  {c,  rf}  as  {n,b,c,  d).  If  T  satisfies  the  functorial  dagger  implication 
for  the  base  morphism  with  source  2,  then 


A*  /)  =  p-  {n.b.c.dy. 


But 


A* 


(n  +  ftrf'c)*  (n  +  hd*c)*ftrf* 
(d  +  ca’b)‘co‘  [d  +  co'ft)* 


Letting  L  denote  the  sum  of  the  first  two  entries  of  A*,  we  see  that.  L  is  bounded. 
But  {a,b,c,d}‘  is  not.  (see  Example  6.1).  Hence  A*  •  p  ^  p  •  {n,6,c,rf}*  in  T.  Thus 
T  €  MAT  -  FD-i.  O 


Note  that-  T  is  an  example  of  an  iteration  theory  not  satisfying  the  functorial  dagger 
implication. 


7  A  Chain  of  Quasi- Varieties 


In  this  section  we  prove  that  there  is  an  infinite  number  of  quasi-varieties  of  iteration 
theories  between  FD  and  IT.  It  was  shown  in  [13]  that  if  a  Conway  theory  T  has  a 
functorial  dagger  for  the  base  morphism  n  — *  1,  where  n  >  1  is  any  integer,  then  T  has  a 
functorial  dagger  for  all  (surjective)  base  morphisms  n  — *  in.  The  following  proposition 
can  be  proved  in  straightforward  way. 


Proposition  T.l  If  a  Conway  theory  has  a  functorial  dagger  for  the  base  morphism 
n  — >  1,  inhere  n  >  1  is  a  given  integer,  then  it  has  a  functorial  dagger  for  all  base 
morphisms  m  — ►  1,  m  €  [n],  O 
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Let  n  >  1  be  an  integer.  Recall  that  FD„  denotes  the  quasi-vaxietv  of  iteration  theories 
satisfying  the  quasi-identity 

/•(/>0 1,,)  =  pg  =>  /t  =  (14) 

■where  /  :  n  — ►  n  +  p,  g  :  1  — »  1  +p,  and  where  p  denotes  t  he  base  morphism  n  — »  1.  Thus 
FDi  as  IT  and  FD  is  the  intersection  of  the  quasi- varieties  FD„.  By  Proposition  7.1,  we 
have 

FD„  C  FD„-i, 

for  all  n  >  2.  Below  we  show  that  each  inclusion  is  proper. 

We  assume  that  n  >  2  is  a  fixed  integer.  We  will  he  considering  trees  in  Sj.TR,  where 

E„  =  {<T|,...  ,<r„},  and  H*  =  0,  for  l;  rfi  n.  We  let  X,,  :=  {.r, - ,.r,,}  he  the  set  of  the 

first,  p  variables. 

Definition  7.2  Suppose  /  :  1  — *  p.  We  say  that  {  is  perfect  if  f  -f  _L  •  0,,  and  the. 
fallowing  conditions  hold  for  nil  n  €  (»]*. 

•  Ifni  €  dom /.  for  some  i  €  (»],  then  f(ni)  =  <j;  or  /(«»')  €  X,,. 

•  If  f(u\), . . . ,  f(nn)  are  nil  in  X,, .  then  not  all  values  are  the  same  variable. 

A  tree  n  — ►  p  is  perfect  if  each  i„  ■  f  is  perfect,  for  nil  i  6  (»>]. 

Thus  there  are  n  perfect  trees  1  — >  0. 

Definition  7.3  Suppose  that  f.g  :  1  — *  p.  We  define  f  ~  g  iff  f  =  g  or  neither  f  nor 
g  is  perfect.  When  f.g  :  n  — - *  p.  for  some  n  1.  then  f  —  g  iff  i„  ■  f  ~  i„  •  g.  for  all 
,€[«]. 

Thus  all  non-perfect-  scalar  trees  1  — ♦  p  are  identified.  We  list  some  elementary  conse¬ 
quences  of  the  definition. 

1.  If  a  tree  t :  1  — >  p  has  a  non-perfect  subtree,  then  t  is  not  perfect. 

2.  If  /  is  not  perfect  then  /  •  g  is  not  perfect. 

3.  If  /  is  not  perfect  then  /t  is  not  perfect. 

4.  If  /  is  perfect,  X;  occurs  in  /,  and  if  the  »-th  component  of  g  is  not  perfect  or  has 
root  labeled  itj  for  some  j  -£  i.  then  /  •  g  is  not  perfect. 

Proposition  7.4  The  relation  ~  is  an  iteration  theory  congruence  on  trees. 

Proof.  This  follows  from  the  above  facts.  O 

Note  that  each  perfect  tree  1  — *  p  forms  a  singleton  —-congruence  class.  For  the  rest-  of 
this  section  we  let  T  :=  Hj.TR/ 
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Proposition  7.5  The  theory  T  u  contained  in  FD„_i  -  FD„. 


Proof.  Suppose  that 

/  ■  ~  p-  a, 

where  f  :  k  —>  k  +  p,  g  :  1  —>  1  +  p  are  trees,  and  where  p  is  the  base  morphism  k  — *  1. 
Suppose  that  1  <  k  <  n.  We  will  show  that  /t  ~  p  •  jt. 

Coer.  1:  q  is  perfect.  Then  /  is  perfect  and 


/  •(/»$!,.)  -  P  0- 


Thus, 

P  =  P^- 

since  £j_TR.  has  a  functorial  dagger. 

Case.  2:  q  is  not  perfect.  Then  for  each  i  6  [/.'),  either  h  ■  f  is  not  perfect  or  i*  •  /  is 
perfect  hut.  has  a  subtree  of  the  form 


<t(j, 

where  it  €  S  and  the  zj’s  are  variables  in  A*.  If  U-  •  /  is  not  perfect,  then 

ik  f  =  1,) 

is  not  perfect.  If  »*  •  /  has  a  subtree  of  the  form  <r(i| , . . . ,  z„ ),  then,  since  k  <  n,  at  least 
two  of  ihe  zj’s  must,  be  the  same.  Suppose  that  z%  =  z-j,  say.  But  then 

u/t  =  hf-Vli,,)  = 

has  a  subtree  of  the  form 

, . f„), 

where  none  of  the  trees  t,  t:), . . .  ,t„  is  a  variable.  Again,  it  follows  that  t*  •  /t  is  not 
perfect. 

Thtis  T  is  in  FD„_i .  To  prove  that  T  is  not  in  FD„,  consider  the  tree 

/  :=  <<T,, - o’,,)  :  n  — *  ». 

If  p  denotes  the  base  morphism  n  -*  1  then 


/  •  p  ~  p  ■  IT,  ■  p. 


but 

1 ..  /f  /(">  />)t, 

since  the  tree  1„  •  /t  is  perfect  and  (<7t  •  p)'  is  not. 


□ 


Any  theory  in  FD„_i  —  FD„  is  another  example  of  an  iteration  theory  which  does  not 
satisfy  the  functorial  dagger  implication.  Thus,  we  have  infinitely  many  examples  of  such 
theories. 
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8  Appendix 

Suppose  that.  T  is  any  theory.  A  zero  congruence  0  on  T  is  a  theory  congruence  which 
is  generated  hy  an  equivalence  relation  6n  on  the  morphisms  with  target  0:  i.e.,  0  is  the 
smallest,  congruence  on  T  such  that  C  0.  Zero  congruences  were  first  considered  in 
(2),  where  it.  was  shown  that,  the  smallest  zero  congruence  on  any  iteration  theory  is  in 
fact-  an  iteration  theory  congruence.  In  [8],  this  result  was  extended  to  show  that  in  any 
preiteration  theory  satisfying  the  parameter  identity,  namely 

(/•(l«*3))t  =  /*••?>  all  /  :  n  — *  n  +  p,  g  :  p  —>  q, 

any  zero  congruence  preserves  the  dagger  operation. 

We  prove  here  the  following  theorem. 

Theorem  8.1  Suppose  that  0  is  a  zero  congruence  on  a  free  iteration  theory  Str  gen¬ 
erated  hy  an  equivalence,  relation  f)„  on  the  morphisms  with  target  0.  Then  for  any 
f,g:n  — *  p  in  Str,  f  Q  g  iff  for  some  F  :  n  — >  p  +  k.  and  some  cr.3  :  k  — »  0, 

/  =  F  •  ( 1,.  €>  o) 
g  =  F  ■  (1,,  rp  d)  and 
a  =  3  (mod  ft,,) 

Corollary  8.2  With  the  notation  of  Theorem.  8.1.  let  T  denote,  the.  quotient  theory 
Etr/0.  Then  the.  functorial  dagger  implication  hol/Ls  in  T. 

The  following  proposition,  the  Zero  Congruence  Lemma,  is  known  from  [2].  See  also 
[8]  for  further  refinements. 

Proposition  8.3  For  any  theory  T ,  the  least  theory  congruence  0  containing  Su  is  the 
transitive,  closure,  of  the  following  relation  for  f,g  :  />  — *  p.  f  ~  g  iff  for  some. 
F  :  n  — »  p  +  k,  and  some,  a,  3  :  k  — >  0. 

/  =  F(l,,*o) 
g  =  F  ■  (1,,  #  3)  and 
a  =  3  (mod  tt„).  □ 

We  will  show  that  in  Etr,  the  relation  /  ~  g  just  defined  coincides  with  the  relation  0. 
We  make  use  of  the  following  lemma,  proved  in  the  next  section. 

Lemma  8.4  Suppose,  that  F  ■  (1,,  tf*  3)  =  G  ■  (1,,  tf*  7)  for  some.  F  :  n  — >  p  +  k,  G  :  n  — * 
p  +  k',  3  :  k  — >  0,  7  :  k'  — ►  0  in  Etr.  Then  for  some  integer  m  >  0.  there,  are.  trees 


H  :  n  — ►  p  +  m  and  Q  :  m  — ►  k.  Q'  : 

m  — *  k'  in  Etr  such  that 

F 

= 

G 

=  HU 

Q  ■  3 

=  Q'r 
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Corollary  8.5  The  relatione  ~  of  Proposition  8.3  and  0  are  the  same. 

Proof.  We.  need  show  only  that  ~  is  transitive,  since  0  is  the  transitive  closure  of 
Assume  that  /  ~  g,  and  g  ~  h,  where  f.g.  h  :  n  — *  p  in  Etr.  Then 

/  =  F-(l„8») 

g  =  F(1„*S), 

for  some  F  :  n  — +  p  +  k,  some  at,  3  :  k  — ►  0  with  o:  8U  3.  Also, 

9  =  G(l,,  87) 
h  = 

for  some  G  :  n  — *  p  +  k',  some  7,  h  :  k'  — >  0  with  7  0„  h. 

Since  g  =  F ■  (lf, 8 3)  =  G-(  1,,8  7).  then,  by  the  lemma,  for  some  trees  H,  Q,  Q'  in  Etr, 
F  =  H  '■  (1„  &Q)>  G  =  H-  (1„  8  Q')  and  Q  ■  3  =  Q'  ■  7.  But  then 

/  =  H  ■  (1„  8  Q)  ■  (1,.  80  ) 

=  (1,8  (<?•«)) 

h  =  H-(lv*Q')(l„&t>) 

=  H(l„*(Q'-6)) 

Also, 

Q-asQ-#  =  Q'-7  =  Q'ft  (mod»„). 

Thus,  Q  ■  at  =  Q'  ■  t>  (mod  (?„),  showing  /  ~  A.  D 

Proof  of  Corollary  S.2.  It  is  enough  to  prove  that  the  implication 

/  •  (/>  8  1,,)  ~  p-  g  =>  }'~p-g' 

holds,  when  f  :  n  — »  n  +  p,  g  :  1  — ♦  1  +  p  in  Etr  and  when  p  :  n  — *  1  is  the  unique  base 
morphism.  Thus,  suppose  that- 


/•(p8l„)  ~  p-g- 

By  definition,  then,  there  is  some  F  :  n  — »  1  +  p  +  A\  some  n-,3  :  k  — >  0  in  Etr  with 

/  ■  (/» 8 1,,)  =  F  •  (li4-,,  8  <*) 

p-g  =  F  •  (li+,,  8  3),  and 
o:  =  3  (mod  e«). 

Write  F  =  (Ft,. . . ,  F„).  Since  p  ■  g  =  F  •  (1,+,,  3-  3),  it  follows  that 

9  —  F;  ■  (1,^.,,  8 ,3), 

for  each  i  6  Jn],  We  will  define  the  tree  G;  :  1  — *»+/>  +  k  for  each  i  €  (»],  such  that  if 
G  :=  (G’i , . . . .  G„)  •  n  — ►  n  +  p  +  k 
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then 


/  =  G  ■  (1,.+,,  *  a) 

F  =  <5  ■(/>&  l|>+t)- 

Indeed,  for  each  i  g  [n],  let  Gi  he  obtained  from  F;  by  relabeling  any  leaf  vertex  u  of  Fi 
labeled  by  w(f„  •  /)  and  by  relabeling  any  leaf  v  of  F,  labeled  f)+J,  j  g  [p  +  fc],  by 
*,I+j.  (Necessarily  «(«„  •  /)  =  *j,  for  some  j  g  (nj.) 

Note  the  following  facts. 


P-5  =  G-(P  *!„*/»). 


We  will  prove  that. 


G‘ •(!„*,•»)  =  p  ■  5*. 


(15) 


Indeed, 


G-(l..+p$3)-(/>€il,,)  =  p  •  5, 

and  since  the  functorial  dagger  implication  is  valid  in  Etr.  it  follows  that  (15)  holds.  But 
then,  by  the  parameter  identity, 

/'  =  <?*•(  l„*n) 

~  G*  (1,,*;?) 

=  P'S1-  D 


One  application  of  these  results  was  given  in  Section  5.4  above.  Assume  that.  f,g  g 
and  let  Q  be  the  zero  congruence  on  Etr  generated  by  the  least  equivalence  such  that 
/tt  ~  jtt,  Since  both  /tt  and  jtt  are  morphisms  1  — ►  0.  the  theory  Etr/0  satisfies  the 
functorial  dagger  implication,  by  Corollary  8.2.  Note  that  the  tree  /t t  is  the  complete 
binary  tree  with  each  vertex  labeled  /.  If  ft  :  1  — *  1  is  the  tree 

h  ;=  5  (All), 

then  it.  is  not  the  case  that 

/».*  =  /tt  (mod  0), 

by  Theorem  8.1,  since  />*  has  no  subtree  equal  to  either  / 1  t  or  to  jtt.  Thus,  the  GA- 
implication  fails  in  T , 

It  remains  to  prove  Lemma  8.4. 


8.1  Proof  of  the  Lemma 


We  rail  a  vertex  u  of  /  a  aero  vertex  if  the  subtree  /,,  of  /  rooted  at  u  is  a  zero  subtree, 

i.e.,  /„  is  t  ■  0,,,  for  some  t  :  1  — >  0  in  Etr.  A  tree  with  no  zero  vertices  is  coaccessihle. 
A  minimal  zero  vertex  of  /  is  a  zero  vertex  of  /  which  has  no  proper  prefix  which  is 
also  a  zero  vertex.  We  let.  MZ(f)  denote  the  set  of  minimal  zero  vertices  of  /. 

Suppose  that-  f  =  F  •  (1,,  ®  o) :  1  -*p,  where  /'ll  — ►  p  +  k  and  n  :  k  — »  0. 

1.  If  /  has  no  zero  vertices,  then  F  factors  through  p,  i.e.,  F  =  F'  $  Ot,  for  some 
F'  :  1  — ►  p,  and  F'  is  coaccessible.  If  the  empty  word  is  a  zero  vertex,  then  F 
factors  outside  of  p,  i.e.,  F  =  0,,  tfa  F',  for  some  F' :  1  — >  k. 

2.  If  u  is  a  zero  vertex  of  /  and  uv  €  dom  /,  then  uv  is  also  a  zero  vertex  of  /. 

3.  If  it  is  a  minimal  zero  vertex  of  /,  then  «  6  dom  F.  Indeed,  otherwise  u  =  vv', 
where  vF  =  rlH-j  and  v'  6  dom  a-j.  But  then  v  is  also  a  zero  vertex  of  /,  showing 
u  is  not  minimal. 

4.  Since  /  is  regular,  the  collection  of  trees  {/„  :  1  — *  0|  u  €  MZ(f)}  is  finite. 

Xow  assume  that  /  =  Let  X  be  the  (regular)  set  of  all  minimal 

zero  vertices  u  of  /  such  that  F„  or  G„  contains  a  leaf  labeled  by  some  variable  (which 
is  necessarily  for  some  j  >  0.)  Note  that  if  u  €  -Y,  then  u  €  dom  F  n  dom  G,  and 
if  v  is  any  leaf  of  F„,  then  the  label  of  t>  is  .r,l+j  for  some  j  >  0.  Indeed,  otherwise,  u 
would  not  be  a  zero  vertex  of  /.  Similarly,  if  v  is  a  leaf  of  G„  labeled  by  a  variable,  its 
label  is  x,,+J-  for  some  j  >  0. 

We  let.  H  he.  f  “cut.  off”  at  .V.  Assume  there  are  m  trees  S„,  of  the  form  /„  :  n  €  X. 

Definition  8.6  The.  tree  H  :  1  — ►  p  +  m  i*  defined  <u  follow*.  The  domain  of  H  i *  the 
regular  set  consisting  of  X  together  with  the  set  of  all  vertices  of  f  hairing  no  prefix  in 
X.  For  u  €  dom  H. 

{u  f  if  u  has  no  prefix  in  X 

•»',!+<  »/  «  €  -Y  and  /„  =  />; 

undefined,  othenmse. 

Remark  8.7  Thu  tree  H  is  regular.  If  tin'  set.  A’  is  empty,  then  in  =  0. 

Xow  we  define  the  trees  Q  :  in  — *  k,  Q'  :  in  — ►  k'.  Suppose  that  n  €  -Y  and  /„  =  fi-,. 
Then  n  6  dom  F  O  dom  G,  by  item  3.  above. 

Definition  8.8 

if  v  F„  is  not  a  variable 
if  t >F„  =  rv+j. 

if  v Gh  i*  not  a  variable 
if  I’G  i|  —  j  • 


vQi  : 

vQ'i  ■■ 


■{ 
-  { 


vF„ 

vG  „ 
r, 


Then,  by  construction,  for  u  €  -Y  and  fa  =  £;, 

/«  =  Qi-H  =  Q'i-r 

It  follows  that 

Q*  =  Q'r 

Further, 

F  =  H(1„*Q) 

G  =  H(1  „*<?'). 

When  n  >  1  and  f  —  (f\,-  ,  /„)  :  n  —•  p  can  be  written  in  two  ways  as 

we  use  the  same  procedure;  we  now  let  .Y;  be  the  set  of  minimal  zero  vertices  u  in  the 
tree  /;,  such  that-  (Fj)u  or  (£»;)„  contains  a  leaf  labeled  Let  in  be  the  number  of 

all  subtrees  (/;)„, u  €  -Yi,  i  €  [»].  Define  the  domain  of  the  tree  //,  :  1  — »  p  •+■  in,  i  €  [ti] 
as  the  set  of  vertices  in  .Y;  together  with  those  vertices  in  the  domain  of  /;  having  no 
prefix  in  .Y,-:  the  values  of  H,  are  as  above.  The  trees  Q.  Q'  are  defined  exactly  as  before. 
We  omit  the  remaining  details.  O 


8.2  A  Generalization 

The  proof  of  Theorem  8.2  suggests  that  the  following  notion  may  be  of  interest.  Suppose 
that.  T  is  any  theory. 

Definition  8.9  T  has  the  lifting  property  if  for  any  morphism s  f  :  n  -■>  n  +  p, 
F  :  n  — ►  1+p  +  fc  and  rt  :  k  — *  0  in  T.  if 

/O’*  1,|)  =  F-(  1, +„*«), 

where,  p  :  n  — ►  1  is  the.  unique  hn.se.  morphism,  then  there  is  some  G  :  n  — m  +  p  +  i 
such  that 


f  =  G  ■  (1,,+,,  *  ft) 

F  =  G  ■  (pfrlll+t)- 

It.  was  shown  above  that  Dtr  has  the  lifting  property.  We  state  wit  hout  proof  the  following 
facts. 

Proposition  8.10  Each  matrir.ial  theory  [11.  8)  has  the.  lifting  property,  as  does  each 
theory  PftM  and  Rel.v  D 


Proposition  8.11  Suppose,  that  T  is  an  iteration  theory  which  has  the.  lifting  property. 
Then  if  T  satisfies  the  functorial  dagger  implication,  so  does  T/9.  where.  9  is  any  zero 
congruence  on  T.  D 
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Abstract 

The  probabilistic  power  domain  construction  of  Jones  and  Plotkin  [6,  7]  is 
defined  by  a  construction  on  dcpo’s.  We  present  alternative  definitions  in  terms 
of  information  systems  ala  Vickers  [12],  and  in  terms  of  locales.  On  continuous 
domains,  all  three  definitions  coincide. 


1  Introduction 

To  model  probabilistic  and  randomized  algorithms  in  the  semantic  framework  of 
dcpo’s  and  Scott  continuous  functions,  Jones  and  Plotkin  introduce  in  [6,  7]  the 
probabilistic  power  domain  construction  Vp  •  It  forms  a  computational  monad  in  the 
sense  of  [8]  in  the  category  of  dcpo’s  and  continuous  functions  and  various  of  its 
subcategories  of  ‘domains’.  Every  probabilistic  powerdomain  VpX  is  equipped  with 
a  family  of  binary  operations  +p  indexed  by  a  real  number  p  between  0  and  1  such 
that  A+pB  denotes  the  result  of  choosing  A  with  probability  p  and  B  with  probability 

1  -p. 

Other  applications  of  Vp  were  found  in  [1].  The  probabilistic  powerdomain  of  the 
upper  power  space  [10]  of  a  second  countable  locally  compact  Hausdorff  space  X  can 
be  used  for  an  effective  treatment  of  probability  measures  on  X,  and  thus  for  the  study 
of  coloured  fractals  on  X,  where  the  colour  is  modeled  by  a  probability  distribution. 
For  these  applications,  a  description  of  Vp  in  terms  of  information  systems  would  be 
useful. 

‘This  paper  was  written  while  the  author  was  visiting  Imperial  College  of  Science,  Technol¬ 
ogy  and  Medicine  in  London,  England.  This  visit  was  made  possible  by  a  grant  of  the  Deutsche 
Forschungsgemeinschaft. 
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In  (6,  7],  it  is  shown  that  Vd  preserves  (u- Continuity  of  dcpo’s.  On  the  other  hand, 
it  does  not  preserve  algebraicity:  even  the  power  domain  of  the  one-point  domain  is 
not  algebraic.  Thus,  Vd  cannot  be  described  by  the  more  conventional  information 
systems,  which  are  only  suited  for  certain  classes  of  algebraic  domains,  as  for  instance 
the  information  systems  of  [9]  for  the  class  of  bounded  complete  algebraic  domains 
(Scott  Domains).  The  information  systems  of  [3,  4]  present  bounded  complete  con¬ 
tinuous  domains,  but  this  is  still  not  sufficient,  since  Vd  does  not  preserve  bounded 
completeness  as  shown  in  (6,  Section  4.5]. 

In  [12],  Vickers  introduced  a  kind  of  information  systems  ( infosyses )  suitable  to  cover 
all  continuous  domains.  In  the  paper  at  hand,  we  show  that  Vd  can  be  described  in 
terms  of  these  infosyses.  This  was  already  conjectured  by  Vickers  at  the  end  of  his 
paper.  We  also  looked  for  a  localic  description  of  the  power  construction.  Starting 
from  the  frame  of  opens  of  a  continuous  base  domain,  we  show  how  the  frame  of  opens 
of  the  power  domain  may  be  constructed  in  terms  of  generators  and  relations. 

The  paper  is  organized  as  follows:  in  Section  2,  we  sketch  the  theoretical  background 
and  introduce  the  probabilistic  power  domain  construction  Vd-  It  can  be  applied  to 
all  topological  systems  producing  a  dcpo.  In  Section  3,  we  introduce  the  probabilistic 
power  locale  construction  Vl ■  It  can  be  applied  to  all  topological  systems  producing 
a  locale.  We  show  that  for  all  topological  systems,  power  domain  and  power  locale 
have  the  same  points. 

In  Section  4,  we  show  how  to  construct  a  probabilistic  power  infosys  VjD  for  every 
infosys  D.  In  Section  5,  we  prove  that  for  continuous  domains  A',  the  power  infosys 
of  an  infosys  for  X  has  the  same  opens  as  the  power  locale  of  A".  The  proof  uses  a 
hard  lemma,  which  is  postponed  to  Section  6.  The  two  properties  that  power  domain 
and  power  locale  have  the  same  points,  and  power  infosys  and  power  locale  have  the 
same  opens  imply  that  all  three  of  Vd  ,  Vi,  and  Vl  agree  on  continuous  domains. 


2  The  Background 

In  this  section,  we  introduce  the  background  of  the  theory  in  this  paper.  We  assume 
the  reader  to  be  familiar  with  the  basic  notions  of  dcpo,  continuous  dcpo,  continuous 
function  between  dcpo’s,  and  the  frames  and  locales  of  [5]  or  [11],  We  denote  the  least 
element  of  a  frame  by  0  or  F  standing  for  ‘false’,  and  the  greatest  element  by  T  for 
‘true’,  never  1.  We  use  ‘domain’  as  synonym  for  ‘dcpo’,  in  particular  when  speaking 
of  continuous  dcpo’s. 

In  Subsection  2.1,  we  recall  the  topological  systems  of  [11].  In  Subsection  2.2,  we 
review  the  definition  and  properties  of  infosyses  from  [12].  Then  we  present  an 
infosys  for  the  unit  interval  of  the  real  line  in  Subsection  2.3.  In  Subsection  2.4, 
we  introduce  the  construction  Vd  of  [6,  7], 
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2.1  Topological  Systems 

In  [11],  Vickers  introduced  topological  systems  as  a  common  generalization  of  topo¬ 
logical  spaces  and  locales.  In  analogy  to  his  abbreviation  ‘infosys’  for  ‘information 
system’,  we  shall  abbreviate  ‘topological  system’  by  ‘topsys’.  A  topsys  is  a  pair 
X  =  (pt  X,  QX)  of  a  set  of  ‘points’  pt  A'  and  a  frame  of  ‘opens’  OX  together  with  a 
relation  ‘h’  between  points  and  opens,  which  respects  the  frame  operations:  for  every 
index  set  /,  x  N  \Ji€f  u,-  iff  there  is  i  in  I  with  x  1=  u,;  and  for  every  finite  index  set  I, 
x  1=  «,•  iff  for  all » in  /,  x  1=  u,. 

A  topological  space  X  induces  a  topsys,  where  pt  X  is  the  underlying  set  of  X,  QX  is 
the  frame  of  open  sets  of  X,  and  r^uiffigti.  This  in  particular  applies  to  dcpo’s 
with  their  Scott  topology. 

A  locale  X  is  defined  by  a  frame  QX.  It  becomes  a  topsys  by  taking  pt  X  as  the  set 
of  frame  homomorphisms  from  QX  to  2  =  {F,  T),  with  x  1=  u  iff  xu  =  T. 

A  continuous  function  /  :  X  — ►  Y  between  topsyses  has  two  components,  pt  /  : 
ptX  —*  ptY  and  Qf  :  QY  — ►  flA',  where  Qf  is  a  frame  homomorphism  and  pt  fxt=v 
iff  x  N  Qfv  for  all  a:  in  pt  A  and  v  in  QY.  In  case  of  topological  spaces,  these  are  the 
usual  continuous  functions,  and  /  is  determined  by  pt  /.  In  case  of  locales,  these  are 
frame  homomorphisms  in  the  opposite  direction,  and  /  is  determined  by  Qf. 

2.2  Vickers  Information  Systems  (Infosyses) 

In  this  subsection,  we  briefly  review  the  theory  of  infosyses  as  given  in  [12]. 

An  infosys  is  a  pair  ( D ,  <)  of  a  set  of  tokens  D  and  a  binary  relation  *<’  on  D 
which  is  transitive  —  a  <  b  and  6  <  c  implies  a  <  c  —  and  interpolalive  —  if  a  <  c, 
then  there  is  a  token  b  with  a  <  b  and  b  <  c.  In  contrast  to  the  more  conventional 
preorders,  reflexivity  is  not  required. 

We  need  several  notions  and  notations:  for  a  set  A  C  D,  ^ A  =  {b  £  D  \  3a  £  A  \ 
a  <  6}  is  the  upper  set  of  A.  We  use  the  abbreviation  #o  for  T {a}-1  The  operator 
‘T’  is  monotonic  —  AC  B  implies  T  AC  fB  —  and  idempotent  —  T(T^4)  =  T  A.  In 
posets,  there  is  an  additional  property  AC  f-4,  which  is  a  consequence  of  reflexivity 
and  thus  not  true  for  general  infosyses. 

The  set  of  upper  bounds  of  a  token  set  A  is  ub.4  =  {6  6  D  |  Va  £  A  :  a  <  b). 

A  point  of  an  infosys  is  a  subset  x  of  D  with  properties  analogous  to  those  of  ideals: 
if  a  <  6  and  b  £  x,  then  a  £  x\  and  for  m,  ...,  o„  in  x,  there  is  6  in  x  with 

Oi . a„  <  b.  For  the  second  condition,  cases  n  =  0  (x  is  not  empty)  and  n  =  2 

are  enough.  The  points  of  an  infosys  D  ordered  by  inclusion  form  a  continuous  dcpo 
pt  D.  This  is  the  continuous  domain  represented  by  the  infosys  D. 


Wicker*  ha*  no  such  abbreviations. 
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Conversely,  for  every  continuous  dcpo  A',  there  is  an  infosys  /  with  pi  I  —  X,  namely 
I  =  (X,  <C),  where  *<’  is  the  way-below  relation  on  X.  In  general,  there  are  many 
other  infoeyses  I  with  pt  J  £  X. 

If  the  dcpo  X  is  even  algebraic,  then  there  is  an  infosys  /  with  reflexive  order,  i.e.,  a 
poeet,  with  pt  I  S'  X,  namely  the  basis  of  A'. 

An  open  of  an  infosys  is  a  subset  u  of  D  with  fu  =  ti.  Ordered  by  inclusion,  the  opens 
of  D  form  a  frame  QD.  The  joins  of  this  frame  are  simply  given  by  union,  whereas  the 
meets  are  not  given  by  intersection:  uAu  is  f(u  fl  t>).  The  mapping  u>  :  QD  — »  2pto 
with  u«=  {*  €  pt  D  |  *  fl  u  ^  0}  provides  an  isomorphism  between  the  frame  QD 
and  the  frame  Q(pt  D)  of  Scott  open  sets  of  the  continuous  domain  pt  D.  Thus,  the 
topsys  induced  by  the  dcpo  pt  D  is  isomorphic  to  (pt  D,  QD)  with  pf=  u  iff  pGu  ^  0. 
We  call  the  latter  topsys  [DJ.  Two  infosyses  D  and  E  are  equivalent  iff  [D]  2S  [£]. 
Equivalent  infosyses  may  look  quite  different,  for  instance  one  may  be  finite  and  the 
other  one  infinite. 

The  frame  QD  of  an  infosys  D  can  be  presented  by  generators  and  relations:  Gen¬ 
erators  are  Ha  for  a  in  D,  and  the  relations  are  Aags  S°  =  Vj,6Ub  5  for  every  finite 
subset  S  of  D.  This  one  relation  can  be  equivalently  replaced  by  three: 

(1)  Monotonicity:  If  a  <  b,  then  Ha  >  “6; 

(2)  All  tokens:  Va€D  #a  =  T; 

(3)  Meets:  Ha  A  #6  <  Ve>a,»  #c. 

Here,  (1)  corresponds  to  *>’  in  the  single  relation  scheme,  (2)  to  ‘<*  with  empty  S, 
and  (3)  to  *<’  with  5  =  {a,  b}. 

2.3  The  Unit  Interval 

The  unit  interval  of  the  real  line  plays  a  major  role  in  the  theory  of  the  probabilistic 
power  construction.  In  this  paper,  we  denote  the  usual  order  on  real  numbers  by  ‘C’ 
instead  of  *<’,  and  accordingly  its  strict  variant  (iCj  and  x  y)  by  ‘C’  instead  of 
*<’.  This  is  done  to  avoid  confusion  with  the  infosys  order  introduced  below. 

By  these  conventions,  the  unit  interval  is  I  =  {r  S  R  |  0  C  r  C  1}  ordered  by  ‘C’. 
It  forms  a  continuous  domain,  which  can  be  described  by  many  different  information 
systems.  As  pointed  out  above,  one  of  these  is  (I,  <),  where  *<’  is  the  way-below 
relation  of  I,  namely  x<yiffa:Cyorx  =  y  =  0.  Another  one  with  less  tokens  is 
Qo  =  {9  €  Q  |  0  C  ?  C  1}  with  the  same  order  ‘<\ 

In  the  sequel,  we  list  some  arithmetic  properties  of  this  non-standard  order.  All  these 
properties  are  thought  of  to  be  quantified  over  the  non-negative  reals  (r  □  0).  In 
contrast  to  f,  a  <  b  does  not  imply  a  +  c  <  b  +  c  (take  a  =  6  =  0  and  c  /  0).  On  the 
other  hand,  ai  <  61  and  . . .  and  a„  <  b„  implies  ^"_0  aj  <  XTi”=o  even  in  the  case 
n  =  0;  and  a  <  b  implies  a  ■  c  <  b  ■  c  even  if  c  =  0.  Furthermore,  if  a  >  6,  then  there 
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is  some  rational  q  with  a  >  q  >  b,  and  there  is  some  rational  r  <  1  with  r  ■  a  >  b. 
The  latter  can  be  extended  to  any  finite  number  of  relations:  if  a\  >  6j  and  . . .  and 
an  >  i>n,  then  there  is  one  rational  r  <  1  with  r  •  o,  >  6,  for  all  i. 

The  frame  QQq  —  01  can  be  presented  by  generators  tq  for  q  in  Qj  with  the  three 
relations  at  the  end  of  Subsection  2.2.  By  special  properties  of  Qq,  namely  linearity 
and  existence  of  joins  of  tokens,  these  relations  can  be  simplified  to 

(1)  Rationed  zero:  JO  =  T; 

(2)  Rational  continuity:  Vr>1  #r  =  #9- 

The  case  q  =  0  of  rational  continuity  is  redundant,  since  it  follows  from  rational  zero 
and  0  >  0. 


2.4  Probabilistic  Power  Domains 

For  given  dcpo  X,  the  probabilistic  power  domain  VdX  is  defined  in  [6,  7]  as  VdX  = 
[flX  I],  the  dcpo  of  continuous  evaluations  from  QX  to  I  with  the  pointwise 
order.  A  function  p  from  a  frame  to  I  is  an  evaluation  if  it  satisfies  the  zero  law 
/r(0)  =  0  and  the  modular  law  p(a  V  6)  +  p(a  A  b)  =  fja  +  pb. 

Since  the  definition  of  VdX  only  refers  to  QX,  it  can  be  applied  to  any  topsys 
X  producing  a  dcpo  and  thus  a  topsys.  Similarly,  the  probabilistic  power  locale 
construction  Vi  soon  to  be  introduced  only  relies  on  QX  and  thus  can  be  applied  to 
any  topsys.  We  shall  prove  (Theorem  3.2): 

(1)  For  every  topsys  X,  pi  VdX  and  ptViX  are  isomorphic  posets  (in  fact  dcpo’s). 

In  Section  4,  we  shall  introduce  the  probabilistic  power  infosys  construction  V/  map¬ 
ping  infosyses  to  infosyses.  We  shall  prove  (Theorem  5.2): 

(2)  For  every  infosys  D,  QVjD  and  QVi[D]  are  isomorphic  frames. 

Since  the  topsyses  described  by  infosyses  are  continuous  domains  and  thus  localic 
(sober),  (2)  suffices  to  conclude: 

(3)  For  every  infosys  D,  [V/D]  and  Vi[D)  are  isomorphic  topsyses. 

First,  we  can  conclude  from  this  that  Vj  preserves  equivalence  of  infosyses,  which 
would  not  be  obvious  a  priori.  Second,  we  can  conclude  that  for  every  continuous 
domain  X,  ViX  is  a  continuous  domain  again,  and  thus  a  dcpo.  The  topsyses  induced 
by  dcpo’s  are  spatial,  whence  (1)  suffices  to  conclude 

(4)  For  every  continuous  domain  X ,  VdX  and  VlX  are  isomorphic  topsyses  (in  fact 
continuous  domains). 

This  is  our  main  result:  on  continuous  domains,  Vd,  Vl,  and  Vi  coincide. 


3  A  Probabilistic  Power  Locale 


In  this  section,  we  introduce  the  probabilistic  power  locale  construction  Vl  and  show 
that  its  power  locales  have  the  same  points  as  Jones’s  power  domains. 


3.1  The  Generators 

In  this  subsection,  we  motivate  our  choice  for  the  generators  of  QVlX .  Let  us  first 
analyze  the  probabilistic  power  domain  construction  VqX  =  [QX  I]  for  dcpo’s 
X.  It  can  be  dismantled  into  two  consecutive  steps:  first  mapping  the  dcpo  X  into 
its  frame  of  opens  QX,  and  then  applying  a  construction  D  :  F  *— >  [F  I]  mapping 

frames  into  dcpo’s.  In  investigating  D,  we  may  assume  that  it  is  applied  to  arbitrary 
frames,  not  just  those  frames  arising  from  the  Scott  topology  of  a  dcpo. 

Analogously,  we  shall  define  a  construction  L  mapping  frames  into  locales,  and  then 
let  VlX  =  L(QX).  The  locale  L(F)  to  a  frame  F  should  be  close  to  the  dcpo 
£>(F)  =  [F  I].  Ideally,  OL(F)  would  be  the  frame  of  Scott  open  sets  of  D(F), 
but  this  frame  is  difficult  to  axiomatize.  Instead,  we  shall  consider  the  pointwise 
topology  on  the  function  space  [F  — ►  I].  Its  subbasic  opens  are  F(u,  v)  for  members 
u  of  F  and  opens  v  in  01,  where  F(ti,  v)  =  {n  :  F  — -  1 1  pt/  €  v}.  Instead  of  all  opens 
in  01,  it  suffices  to  consider  the  basic  opens  iq  for  q  in  Qj.  Thus,  the  frame  0 L(F) 
will  have  generators  {u,q)  with  u  in  F  and  q  in  Qj,  where  the  intended  meaning  of 
(u,q)  is  {p  |  pu  >  ?}. 

Now,  our  goal  is  to  find  suitable  relations  on  these  generators  such  that  the  posets 
pt  D(F)  and  pt  L(F)  become  isomorphic.  Indeed,  we  shall  prove  a  little  bit  more: 

Theorem  3.1  For  every  frame  F,  there  is  a  continuous  function  /  :  D(F)  — ’ 
L(F),  whose  points  part  pt/  :  pt  £>(F)  — *  ptL(F)  is  an  isomorphism. 

We  shall  prove  this  theorem  by  first  comparing  the  dcpo  Do  of  all  functions  from  F 
to  I  with  a  certain  locale  Lo,  and  then  gradually  introducing  more  restrictions  on  the 
functions  of  Do  as  well  as  more  relations  on  the  frame  of  Lo- 

3.2  Arbitrary  Functions 

For  our  fixed  frame  F,  we  define  Do  to  be  the  dcpo  of  all  (not  even  necessarily 
monotonic)  functions  from  F  to  I.  For  the  corresponding  locale  Lo,  we  present  the 
frame  CILo  by  the  generators  (u,  g)  for  u  in  F  and  q  in  Qj  with  two  relations  which 
Me  directly  motivated  by  the  two  relations  on  QQq  of  Subsection  2.3: 

•  Rational  zero:  («,  0)  =  T  for  all  u  in  F. 

•  Rational  continuity:  \/r>1{u,  r)  =  (ti,q)  for  all  u  in  F  and  q  in  Qj. 


The  second  relation  implies  that  (ti,r)  <  (u,q)  whenever  r  >  q.  Notice  that  ‘>’  here 
is  meant  to  refer  to  (the  dual  of)  the  infosys  relation  of  Subsection  2.3,  which  differs 
from  the  usual  meaning  of  ‘<’  by  the  additional  relationship  0  <  0. 

Now,  we  define  a  continuous  function  /  :  Do  — » •  Lo  by  defining  ft/  :  QLo  —> -  ftDo  with 
9)  =  {p  :  F  —  1 1  pu  >  q} 
and  pt  /  :  pt  Do  — *  pt  Lo  =  Frame(QLo,  2)  with 
Pt/p(«.?)  =  [pu>g] 

where  [pu  >  g]  =  T  if  pu  >  q,  and  =  F  otherwise. 

To  show  that  this  makes  sense,  we  have  to  check  several  things.  First  {p  |  pu  >  g} 
is  indeed  Scott  open  in  Dq. 

Second,  pt  /  and  ft/  fit  together,  i.e.,  for  all  p  in  ptDo  and  U  in  ftLo,  p  N  QfU  iff 
pt  //i  1=  U.  It  suffices  to  show  this  for  generators,  and  p  1=  ft/(u,g)  iff  pu  >  q  iff 
pt/p  h  (u,  q)  holds  indeed. 

Third,  ft/  and  pt  /p  preserve  the  two  relations:  for  rational  zero,  pu  >  0  holds  for 
every  p  in  D0;  for  rational  continuity,  note  that  pu  >  q  iff  there  is  a  rational  r  with 
pu  >  r  >  g. 

In  the  sequel,  we  show  that  pt/  :  pt  Do  — *•  pt  Lo  is  an  isomorphism.  The  proof 
becomes  simpler  if  I  is  considered  as  the  set  of  ideals  pt  Qj  of  the  infosys  Qj.  The 
dcpo’s  I  and  ptQj  are  isomorphic,  and  directed  join  in  I  corresponds  to  directed 
union  in  ptQj.  The  definition  of  pt  /  then  becomes 

pt //i(u,g)  =  [g€H- 

We  claim  that  the  inverse  of  pt  /  is  y  :  pt  Lo  —  pt  Do  with 
7PU  =  {q  €  Qi  |  p(u,  q)  =  T} 

for  p  in  pt  Lo  and  u  in  F.  If  r  in  7 pu  and  r  >  q,  then  q  is  in  7 pu  since  (u,  r)  <  (u,  q). 
If  q  is  in  7 pu,  then  there  is  r  >  q  with  r  in  7 pu  by  rational  continuity.  0  is  always  in 
7pu  by  rational  zero.  These  facts  suffice  to  show  that  7 pu  is  a  point  (a  directed  lower 
set)  because  Qj  is  linearly  ordered.  Thus,  7 pu  is  in  pt  Qj  as  required. 

Next,  we  show  that  7  is  the  inverse  of  pt  /.  One  direction  is  easy: 

9  €  7(pt  /p) «  iff  Pt  /p  <«,  q)  =  T  iff  q  €  pu. 

Conversely,  we  claim  pt/(7p)  =  p  for  all  p  in  ptLo.  It  suffices  to  show  that  both 
sides  coincide  on  generators.  The  statement  pt  f(-fp)(u,  q)  =  T  is  by  definition  of  pt/ 
equivalent  to  q  €  7 pu,  which  in  turn  is  equivalent  to  p(u,  q)  =  T. 

3.3  Restricted  Functions 

We  carry  on  by  comparing  various  subdcpo’s  of  Do  defined  by  restrictions  on  the 
functions  with  sublocales  of  Lo  defined  by  additional  relations.  This  neither  affects 
the  definitions  of  ft/,  pt/,  and  7,  nor  the  proof  that  pt  /  and  7  are  inverse  to  each 


other.  We  only  have  to  show  in  any  case  that  Qf  and  pt  fp  preserve  the  additional 
relations  and  that  yp  satisfies  the  restrictions.  For  all  but  modularity,  these  proofs 
are  quite  obvious  and  omitted. 

Monotonicity:  Restriction:  If  u  <  v,  then  pv  <  pv. 

Relations:  If  u  <  v,  then  { u,q )  <  (v,q). 

Continuity:  Restriction:  If  U  C  F  is  directed,  then  p(\/ U)  =  Vue«Pu- 
Relations:  If  U  C  F  is  directed,  then  {\/U ,  q)  =  \fu€ij{u,  ?)■ 

Zero  law:  Restriction:  p( 0)  =  0. 

Relations:  If  q  qt  0,  then  (0,  q)  =  F. 

By  the  rational  zero  relation,  (0,0)  =  T  holds.  All  these  relations  look  quite 
contradictory  in  presence  of  Vr>o(G> r)  —  (0,0),  but  remember  0  >  0. 

Modularity:  Restriction:  For  all  u  and  v,  pu  +  pv  =  p(u  Vo)  +  p(u  A  v). 

To  find  the  corresponding  relations,  we  have  to  check  when  pv  +  pv  >  q  holds. 
It  is  the  case  iff  there  are  rational  numbers  »•  and  s  with  pv  >  r,  pv  >  s,  and 
r  +  s  =  q.  This  suggests  the  following 
Relations:  For  all  rational  numbers  q  with  0  C  q  o  2, 

V{{«.  r)  A  (v< s)  I  »*,  S  €  Qo,  r  +  s  =  q)  = 

V{(«  v  v,r)  A  (u  A  v,  s)  |  r,  s  €  Qq,  r  +  s  =  q}. 

Qf  preserves  the  relations  by  the  reasoning  above.  To  show  that  yp  is  modular, 
we  perform  the  following  computation,  where  q  always  ranges  over  the  rationals 
with  OCqC  2: 

P(V{Kr)M»>,s)  I  r,seQo,  r  +  s  =  q})  =  T 
iflf  V{p(a,  r)  A  P(v , «)  |  s  €  Qo-  r  +  s  —  q}  —  T  ( p  is  homomorphism) 

iff  3r,  s  G  Qo  :  r  +  s  =  q,  p(u,  r)  =  T,  p{v,  s)  =  T  (p  maps  to  {F,  T}) 

iff  3r,  s  €  Qo  :  r  +  s  =  q,  ypu  >  r,  -,pv  >  s 
iff  ypu  +  ypv  >  q. 

An  analogous  computation  may  be  performed  for  s  =  7p(uVu)  +  yp(t«  Ar),  and 
the  relations  assure  that  s  >  q  iff  ypu  -f  ypv  >  q,  whence  s  =  ypu  +  ypv. 

This  completes  the  proof  of  Theorem  3.1.  Summarizing,  we  obtain: 

Theorem  3.2  For  every  topsys  X,  let  VqX  be  the  dcpo  [Q.Y  I],  and  VlX 
be  the  locale,  whose  frame  of  opens  QViX  is  presented  by: 

Generators:  (u,  q)  with  u  in  fLY  and  q  in  Qo, 

Relations:  Rational  zero:  {u,  0)  =  T  for  all  u  in  QX: 

Rational  continuity:  Vr>?  (w> r)  =  (w,  q)  for  all  u  in  QX  and  q  in  Qj; 
Continuity:  If  U  C  QA’’  is  directed,  then  (\/U,q)  =  Vue«(M>'l)’ 

Zero  law:  If  q  yi  0,  then  {0,  q)  =  0; 
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Modularity:  For  all  rational  q  with  0  C  q  C  2,  and  all  u,  u  in  QA', 

V((u»r)  A  (v,«)  \r,seQo,r  +  s  =  q}  = 

V{{«  V  v,  r)  A  (u  A  v,  s)  j  r,  s  £  Q£,  r  +  a  =  ?}. 

Then  there  is  a  continuous  function  /  :  VqX  — +  VlX  defined  by 

n/{«,4)  =  {/<e  [0*^1]  | /«!>,} 

such  that  pt /  :  pt VdX  — *  pIVlX  is  a  poset  isomorphism.  □ 


4  The  Power  Construction  on  Infosyses 

In  this  section,  we  define  the  probabilistic  construction  Vi  on  infosyses.  Subsection  4.1 
deals  with  the  tokens  of  the  power  infosyses,  and  Subsection  4.2  with  their  order. 

4.1  The  Tokens  of  the  Power  Infosys 

In  this  subsection,  we  define  the  tokens  of  the  power  infosys  V/D  of  some  given  infosys 
D.  We  then  investigate  two  different  ways  to  interpret  such  power  tokens  as  functions 
from  the  frame  QD  to  I.  These  functions  will  be  used  in  the  next  subsection  to  define 
the  order  on  the  power  tokens. 

The  power  tokens  may  be  thought  of  as  formal  convex  combinations  ^"=1  •  oq  with 

aj  in  D  and  rt  in  Qj  such  that  £"=i  <  1.  This  is  formalized  in  the  following 

definition,  which  was  already  conjectured  in  [12]. 

Definition  4.1  The  tokens  of  P[D  are  finite  bags  A  of  pairs  (r,  o)  from  Qj  x  D 
with  £{Jr  |  (r,  a)  £  A\}  <  1. 

Bags  or  mulii-sets  are  similar  to  sets,  but  elements  may  occur  more  than  once  in  them. 
Notationally,  we  use  {].[}  for  bags  in  contrast  to  {.}  for  sets,  but  keep  on  using  ‘0’,  ‘G\ 
and  ‘C’  as  for  sets.  The  bag  union  of  two  bags  is  denoted  by  *+’,  e.g.,  {|1|}  +  {|1,  2}  = 
{|1,  1,  2|}.  Bags  will  be  manipulated  by  means  of  bag  absiraclions,  whose  meaning 
is  analogous  to  that  of  set  abstractions,  but  keeping  different  occurrences  of  the 
same  element  apart.  Thus,  for  instance  £^{|r  |  (?•,  o)  £  {|(0.2,6),  (0.2,6),  (0.2,  c)[} [}  = 
00  2,  0.2,  0.2}  =  0.6. 

The  power  infosys  of  a  finite  infosys  need  not  be  finite  because  of  the  rational  numbers 
involved.  On  the  other  hand,  countability  of  infosyses  is  preserved  by  the  power  infosys 
operation. 

In  the  sequel,  we  need  some  notions  and  notations  concerning  power  tokens. 

Definition  4.2  For  power  tokens  A  in  ViD,  let  set  A  =  {o  |  (»-,  a)  £  .4}  be  the  set 
of  D-tokens  occurring  in  A,  and  num.4  =  {|r  |  (r,  a)  €  A|}  be  the  bag  of  numbers 
in  A. 


For  power  tokens  A  in  VjD  and  opens  u  in  (ID,  let  Apu  =  £^{|r  |  (r,  a)  £  A,  a  £  u[} 
and  A0u  =  £flr  I  (r.°)  €  A,  C  u[}. 

We  use  the  indices  p  and  o  to  indicate  that  in  the  first  case,  the  token  a  is  considered 
as  a  point  of  the  open  u,  whereas  in  the  latter  case,  it  codes  for  the  open  H a.  If  the 
infosys  D  is  reflexive,  i.e.,  in  the  algebraic  case,  the  conditions  a  £  u  and  Ha  C  u  are 
equivalent,  whence  Ap  =  A0  for  all  power  tokens  A.  This  is  not  valid  in  the  general 
case. 

In  the  sequel,  we  look  at  the  elementary  properties  of  the  two  functional  interpreta¬ 
tions  Ap,  A0  :  (ID  — •  Qo  C  I. 

Proposition  4.3  For  all  A  in  ViD: 

(1)  For  all  ti  in  (ID:  0  <  Apu  C  A0u  C  £  num.4  <  1. 

(2)  Ap  is  continuous,  and  A0  is  monotonic. 

(3)  Ap  satisfies  the  zero  law:  Ap<6  =  0. 

(4)  For  all  u  in  (ID:  0pu  =  0otz  =  0. 

Unfortunately,  neither  Ap  nor  Au  can  be  expected  to  be  modular.  Since  joins  in 
(ID  are  unions,  ‘a  €  u  V  »  iff  a  €  ti  or  «  €  t’  holds,  but  since  meets  are  in  general 
not  intersections,  ‘aguAviffaGu  and  a  £  v’  does  not  hold  in  general.  Dually, 
‘Ha  C  u  A  t;  iff  )|a  C  u  and  Jo  C  v’  holds  by  the  very  nature  of  meets,  but  since  jja  is  not 
a  single  token,  ‘fla  C  u  V  v  iff  fa  C  u  or  fa  C  v'  does  not  hold  in  general.  Fortunately, 
Ap  and  A0  satisfy  some  kind  of  modularity  in  co-operation. 

Proposition  4.4 

For  all  A  in  VjD  and  u,  t;  in  (ID,  Apu  +  Apv  C  /4P(uVi>)  +  /l0(uAv)  C  A0u  +  A0v. 

Proof:  For  a  in  D  and  u  in  (ID,  let  [a  £  u]  be  1  or  0  depending  on  if  a  is  in  u  or 
not.  Then  Apu  —  ]T{|r  •  [a  £  u]  |  (r,  a)  £  ^4|},  and  A0u  =  £{|r  [8“  Q  u]  I  (»'.  “)  G 
with  an  analogous  notation.  Thus,  the  statement  of  the  proposition  can  be  derived 
from  the  more  basic  statement 

[a  £  u]  +  [a  £  t)]  C  [a  £  u  V  v]  +  [Ua  C  u  A  t>]  C  [j|a  C  ti]  +  [#a  C  v] , 
which  can  be  shown  by  case  analysis.  □ 

4.2  The  Order  of  the  Power  Infosys 

So  far,  we  only  defined  the  tokens  of  VjD.  For  the  order,  we  shall  establish  several 
equivalent  definitions  in  this  subsection. 

Definition  4.5  For  two  functions  /  and  g  from  (ID  to  I,  we  define  f  <  g  iff  for 
all  u  in  (ID,  fu  <  gu  holds.  For  two  tokens  .4  and  B  in  P[D,  we  define  A  <  B  iff 
A0  <  Bp  holds. 
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So  far,  the  token  order  is  not  quite  effective  because  of  the  potentially  infinite  quan¬ 
tification  over  all  opens.  We  shall  soon  derive  effective  characterizations. 

The  definition  above  has  the  virtue  that  transitivity  can  be  shown  easily:  from  A  <  B 
and  B  <  C,  Aeu  <  Bpu  C  Bcu  <  Cpu  ioi  all  opens  u,  whence  A  <  C.  Also,  0  is 
readily  seen  to  be  the  least  power  token:  0<,u  =  0  <  Bpu  holds  for  all  opens  u.  For 
interpolation  however,  some  hard  work  is  needed.  Before  doing  it,  we  derive  two 
effective  characterizations. 

Proposition  4.6  For  a  token  A  in  VjD  and  a  monotonic  function  ft  :  (ID  —*  I, 
the  following  three  statements  are  equivalent: 

(1)  A0  <  ft,  i.e.,  for  all  u  in  (ID,  Aau  <  ftu  holds. 

(2)  A0u  <  fiu  holds  for  all  u  in  U(A)  =  {fsetS  |  S  C  A}. 

(3)  For  all  subbags  S  of  A,  num  S  <  p(fset  S)  holds. 

In  (3),  one  may  also  quantify  ‘for  all  non-empty  subbags’. 

Notice  how  the  universal  quantification  of  (I)  is  reduced  to  the  finite  quantifications 
in  (2)  and  (3). 

Proof: 

(1)  =>  (2)  :  TVivial;  U(A)  is  a  subset  of  (ID. 

(2)  =>  (3)  :  Let  u  =  fsetS,  which  is  in  U(A).  If  (r,  a)  is  in  S ,  then  a  is  in  setS, 

whence  fla  C  u.  Thus, 

£numS  =  JZflr  |  (r,  a)  €  S[}  C  5Z{lr  |  (r,  “)  e  -4,  ga  C  «[}  =  A0v  <  fiu. 

(3)  =>  (I)  :  For  given  u,  let  S  =  {|(r,  a)  €  A  |  Ha  C  tiQ.  Then  Tset  S  C  v,  whence  with 

monotonicity  of  ft,  A0u  =  £  num  5  <  //(fsetS)  C  fju. 

The  empty  subbag  need  not  be  included  in  (3),  since  num  0  =  0  <  s  always  holds. □ 
The  proposition  applies  in  particular  to  the  case  ft  =  Br  needed  for  .4  <  B: 

Corollary  4.7 

For  two  tokens  A  and  B  in  VjD,  B  >  A  iff  for  all  5  C  .4,  BP(Tset  5)  >  £  num  S. 

The  corollary  shows  that  the  order  on  VjD  is  decidable,  if  the  order  on  D  is  decidable: 
A  <  B  can  be  checked  by  performing  a  finite  number  of  comparisons  of  rational 
numbers 

£  num  S  -  £{|r  I  (r.  a)  €  -S’!}  ai^ 

Bp(TsetS)  =  £{|s  |  (s,  6)  6  B,  3(r,  a)  €  S  :  b  >  aft, 
which  can  be  computed  with  a  finite  number  of  comparisons  in  D  and  additions  of 

rationals. 

The  intuitions  of  Vickers  in  [12]  suggest  a  quite  different  definition  of  the  order  on 
the  tokens.  A  token  A  is  below  a  token  B  iff  every  element  (r,  a)  can  be  split  into 
some  (r,-,  a)  with  =  r>  then  grown  by  enlarging  both  the  rational  number  and 

the  ground  token,  then  recombined  again  to  obtain  some  (not  necessarily  all)  of  the 
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elements  of  B.  A  formalization  of  these  intuitions  is  provided  by  Lemma  4.13  of  [6], 
which  handles  the  more  concrete  problem  of  comparing  convex  combinations  of  point 
evaluations.  This  leads  to  the  following  theorem: 

Theorem  4.8  Let  A  =  (Kri.ai),  ...,  (r„,an)}  and  B  =  {|(si,6i),  ....  (sm.MI} 
be  two  power  tokens  with  a  fixed  order  to  enumerate  their  elements,  and  let 
I  =  {1,  . . . ,  n)  and  J  =  {1, ,  m}.  Then  the  following  are  equivalent: 

(1)  A  <  B,  i.e.,  for  all  opens  u,  A0u  <  Bpu; 

(2)  there  are  numbers  Uj  in  I  for  every  i  in  I  and  j  in  J,  such  that  tij  ^  0  implies 

a,  <  bj,  Uj  =  r,-  for  every  t  in  I,  and  £lg/  tij  <  Sj  for  every  j  in  J. 

(3)  as  (2),  but  the  Uj  are  in  Qj,  and  J2j£j  Uj  >  r«- 
Proof: 

(1)  =>  (2)  :  This  is  essentially  the  proof  of  the  Splitting  Lemma  4.10  of  [6]  or 

Lemma  9.2  of  [7].  It  applies  the  Max-Flow  Min-Cut.  Theorem  5.1  of  [2].  In 
our  case,  it  is  applied  to  a  graph  with  nodes  ±  (source),  1,  . . . ,  n,  1',  . . . ,  m', 
and  T  (sink),  and  edges  from  i.  to  i  with  capacities  r,-,  from  i  to  j'  with  capac¬ 
ities  1  if  Oj  <  bj  and  0  otherwise,  and  from  j'  to  T  with  capacities  p  ■  Sj ,  where 
p  is  a  previously  chosen  rational  number  with  ^num5  <  p  ■  Bp(TsetS)  for  all 
subbags  S  of  A.  The  remainder  of  the  proof  is  in  analogy  to  [6,  7]  and  thus 
omitted. 

(2)  =>  (3)  :  Choose  a  (rational)  0  ^  p  <  1  with  still  Uj  <  P  -  s,  for  all  j  in  J. 

For  every  i  in  I  and  j  in  J,  choose  a  rational  with  <l;  <  tC  <  itj  •  p_I.  The 
numbers  do  the  job  for  (3). 

(3)  =>  (1)  :  We  use  Cor.  4.7  to  prove  A  <  B.  Let  S  be  a  subbag  of  A,  I'  a  corre¬ 

sponding  subset  of  I,  and  J'  =  { j  €  J  |  bj  6  fset  S).  We  start  with 

Enum S=J2ri 

We  only  need  to  sum  those  Uj  with  f,-;  ^  0.  For  these,  a,  <  bj  holds.  Thus  it 
suffices  to  consider  those  j  with  bj  €  TsetS,  and  we  may  continue 

■  ■  —  —  EZ  <  E^  sj =  Sf>(tset  s) 

izi'jej'  jsJ'  iei  j€J'  □ 

The  last  statement  of  Theorem  4.8  enables  us  to  prove  interpolation.  Let.  A  and  B  as 
in  the  theorem  with  A  <  B,  and  let  Uj  he  the  numbers  of  its  last  statement.  For  every 
«  in  I  and  j  in  J  with  a,  <  bj,  we  choose  a  ground  token  c,y  with  a,  <  c,j  <  bj,  and 
construct  the  bag  C  of  pairs  (Uj,  c,j).  Then  A  <  C  <  B  holds,  as  is  easily  verified 
using  parts  (2)  or  (3)  of  Theorem  4.8. 


5  Comparing  Power  Infosys  and  Power  Locale 

In  this  section,  we  show  —  as  announced  in  the  beginning  —  that  the  frames  of  opens 
of  the  power  infosys  and  the  power  locale  are  isomorphic. 

5.1  The  Two  Frames 

In  this  subsection,  we  present  the  two  frames  to  be  compared.  Let  D  be  some  fixed 
infosys.  The  frame  F\  is  SIP/D,  which  can  be  presented  as  shown  in  Section  2.2.  The 
frame  Fj  is  Q.Vl[D].  It  is  defined  in  terms  of  Q[Z?],  which  is  isomorphic  to  QD.  Thus, 
we  arrive  at  the  following  presentations: 

•  Generators  for  Fi:  jA  for  A  in  P/D. 

•  Relations: 

(1)  Monotonicity:  If  A  <  B,  then  iA  >  iB\ 

(2)  All  tokens:  V AevtD  M  =  T; 

(3)  Meets:  A  #B  <  \Jc>a,b 

With  monotonicity,  one  obtains  '=’  in  (3).  There  is  also  the  special  case 
A  =  B  of  this,  which  yields 

(4)  IA  =  Mc>aIC. 

•  Generators  for  F2:  (u,  q)  with  «  in  QD  and  q  in  Qj, 

•  Relations: 

(1)  {u,0)  =  T; 

(2)  Vr>,(«.r)  = 

(3)  \iU  C  QX  is  directed,  then  {\JU,q)  =  \JU£u(u,q); 

(4)  If  q  ^  0,  then  (0,  q)  =  0; 

(5)  For  all  rational  q  with  0  C  q  C  2,  V{(M’  r)  A  (”> s)  I  r,  s  G  Qj,  r  +  s  =  q}  = 
V{(«  V  v,  r)  A(»Av,  s)  |  r,s  €  Qj.  r  +  s  =  ?}. 

In  case  of  F2,  relation  (1)  makes  the  cases  q  =  0  of  (2),  (3),  and  (5)  redundant;  we 
may  assume  q  ^  0  in  (2)  through  (5). 

5.2  A  Homomorphism  from  F2  to  F\ 

In  view  of  the  ‘intended  meaning’  of  the  generators  ( v,q ),  we  define  tp  :  Fn  — <■  Fi  by 

=  V<M  I  APU  >  «} 

We  have  to  show  that  this  definition  preserves  the  relations  of  F2. 

(1)  ip(u,  0)  =  V{M  I  ApU  >  0}  =  V{M  I  A  €  ViD }  =  T  by  relation  (2)  of  Fi. 

(2)  Vr>«  =  Vr>»V{M  I  APu  >  r}  =  \/{M  I  3r  >  q  :  Afu  >  r}.  By 

transitivity  and  interpolation  in  Qq,  the  latter  equals  V{M  I  APti  >  q)  =  <p(u,q). 
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(3)  Here,  we  need  continuity  of  AP  (Prop.  4  3  (2)).  Let  (u,),e/  be  a  directed  family 
in  flD. 


V{MM,(Vi€/ «.)>?} 
V{M  I  3«  €  /  :  AfUi  >  g} 
V,€/V{«^Mp«.  >9} 
V<€/V>{«..9) 


(4)  By  Prop.  4.3  (3),  Ap0  =  0  holds.  Thus,  ¥>{0,  ?)  =  V{M  I  ApO  >  ?}  is  an  empty 
join  if  q  ±  0. 


(5)  For  modularity,  we  compute 

Vr+,=,  ¥>(«.  *•)  A  <p(v,  s)  =  Vr+4=f(V{S^  I  Apu  >  r})  A  (V{8£  I  Bpv  >  «}) 
=  V{M  A  $B  I  r  +  s  =  q,  ApU  >  r,  BP v  >  s} 

With  the  *=’  version  of  relation  (3)  of  Fj ,  we  obtain 
^{#C  |  C  >  A,  B,  Apu  +  Bpv  >  9}. 

Applying  relation  (4)  of  Fi  yields 

|  D  >  C  >  A,  B,  Apu  +  BPv  >  9}. 

In  this  situation,  Apu  +  Bpv  >  q  implies  CPu  +  CPv  >  q.  Conversely,  if  D  >  C 
and  Cpu  +  Cpv  >  q,  then  we  can  interpolate  a  new  C  between  D  and  C  and  let 
A  =  B  =  C.  Thus,  the  join  above  equals 

x  —  \/ {W  \  D  >  C,  CpU  +  CpV  >  q). 

Analogously,  the  other  side  of  the  modularity  relation  becomes 
V  =  \/{#jD  I  D  >  C,  Cp(uV  r)  +  Cp(u  A  v)  >  q). 

We  have  to  show  x  —  y.  For  this,  we  use  Prop.  4.4.  It  states 


CpU  +  CpV  C  Cp(tiVi))  +  C0(«Ai!)  C  C0u  +  C0v. 

For  *  <  y,  we  interpolate  D  >  C  to  D  >  C'  >  C.  Then  C'p  >  C0  3  CP,  whence 
Cp(uVv)  +  Cp(u  Au)  □  CP(u  Vii)  +  C0(u  A  v)  □  Cpu  +  Cpv>q. 

The  other  relation  x  >  y  is  shown  analogously. 


Now,  we  have  shown  that  <p  preserves  all  relations  of  /V  Thus,  it  extends  to  a  frame 
homomorphism  ip  :  F2  — ►  F\. 


5.3  A  Homomorphism  from  Fj  to  F2 

To  establish  a  frame  homomorphism  \p  :  F\  F2,  we  have  to  specify  V'(!M)  for  A 
in  ViD.  Here,  we  refer  to  Prop.  4.6,  which  says  A„  <  ft  iff  for  all  subbags  5  of  A , 
£)numS  <  p(T$etS).  This  motivates  the  following  definition: 

V>(|A)  =  yS  where  yS  =  (Tset  5,  £  numS), 
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which  involves  a  finite  meet  by  finiteness  of  A.  We  have  to  prove  that  ip  preserves  the 
relations  of  F\. 

For  monotonicity,  we  have  to  show  that  A  <  B  implies  ip(tA)  >  ip(t B),  or  AsC/t  > 
A t£b  yT-  To  Pf°ve  this,  it  is  sufficient  to  show  that  for  each  S  C  A,  there  is  T  C  B 
with  yS  >  yT.  For  S  C  A,  let  T  =  {|(r,  b)  6  B  |  b  6  T**tS[}.  Then  set  T  C  fsetS, 
whence  T*«tT  <  T*et S.  Moreover,  J^numT  =  Bp(Tset S)  >  £numS  holds  by 
B  >  A  and  Cor.  4.7.  Since  the  generators  of  Ft  are  monotonic  in  the  first  and 
anti-monotonic  in  the  second  argument,  these  facts  imply  yT  <  yS. 

For  the  all-tokens  relation,  we  have  to  show  \/{V’(M)  |  A  €  ViD }  =  T.  This  equality 
holds,  since  V>(S®)  =  7®  =  (0,0)  =  T  by  relation  (1)  of  Ft- 

Finally,  for  the  meets  relation,  we  have  to  show  Arp(tB)  <  Vc>x,b  ^KtC).  This 
turns  out  to  be  difficult  and  is  postponed  until  later.  For  the  moment,  we  assume 
that  it  has  been  shown,  so  that  ip  :  Fi  — ►  Ft  is  a  well  defined  frame  homomorphism. 

5.4  The  Homomorphisms  are  Inverse 

Now,  we  show  that  the  two  frame  homomorphisms  p  :  Ft  — *  Fj  and  ip  :  F\  — ►  Ft  are 
inverse  to  each  other.  It  suffices  to  apply  p  and  ip  to  generators. 

First,  we  show  p(ip{$A))  —  tA  for  all  A  in  P/D. 

<PWI M))  =  Asc>t  V’dsat  S,  £2  num  S) 

=  Ascx  V{«5  |  Bp(Ts«t5)  >  £  num5} 

We  have  to  show  that  this  equals  $A.  For  this,  we  do  not  use  the  presentation  of  F\ 
by  generators  and  relations,  but  the  concrete  form  of  F\  as  consisting  of  the  ‘open’ 
subsets  of  V/D,  with  join  being  union,  meet  being  intersection  followed  by  T\  and 
U  =  {B\B>A}. 

First,  let  D  be  in  the  meet  above.  Then  D  >  C  for  some  C  such  that  for  all  5  C  A, 
C  >  Bs  for  some  Bs  with  Bp(TsetS)  >  J^numS.  By  C  >  Bs ,  for  all  S  C  A, 
Cp(TsetS)  >  53  num  $  holds.  By  Cor.  4.7,  this  just  means  C  >  A.  Thus,  D  >  C  >  A, 
whence  D  is  in  tA. 

Conversely,  let  D  be  in  tA.  By  interpolation,  let  D  >  C  >  B  >  A.  By  Cor.  4.7,  B  >  A 
means  Bp(sttS)  >  53num^  for  all  S  C  A.  By  C  >  B,  C  is  in  V{ii#  I  Bj>(T*«t5)  > 
53numS}  for  all  5  C  A.  Thus,  C  is  in  flsC/T  •  •>  ai,d  because  of  D  >  C,  D  is  in 
Asc4  •  •  •• 

Next,  we  compute  ip(p{u,q))  =  ip(\/ {tA  \  Apu  >  q})  =  V{Asc.4  75  Mpu  >  «)• 
First,  we  show  that  this  is  below  (u,q).  For  this,  it  suffices  to  show  that  for  every  A 
with  Apu  >  q,  there  is  some  S  C  A  with  yS  <  ( u,q ).  Given  A  with  ,4pu  >  q,  let  5  = 
{J(r,  a)  6  A  |  a  €  u[}.  Then  set  5  C  u,  whence  T*et  S  <  u;  and  53  num  S  =  Apu  >  q. 
By  monotonicity  of  the  generators  of  Ft  in  the  first  argument  and  anti-monotonicity 
in  the  second,  yS  =  (T*«t5, 53num^)  ^  («,?)  holds. 


The  final  thing  to  show  is  tl>(<p(u,q))  >  («,?)•  Again,  this  turns  out  to  be  difficult, 
and  we  postpone  it  until  later.  Except  for  the  two  postponed  statements,  the  proof 
of  Fi  —  Fj  is  now  completed. 

5.5  The  Missing  Relations 

Let  us  now  analyze  the  two  relations,  whose  proofs  were  postponed.  The  meet  relation 
is 

V'(M)  A  <  \/ 

C>A,B 

or 

f\  7«A  /\yS<\J{/\  yT\C>A,B). 

RQA  S£B  TCC 

By  Cor.  4.7,  the  condition  C  >  A  may  be  replaced  by  CP(Ts*t  R)  >  for  all 

R  C  A,  and  analogously  for  C  >  B. 

After  renaming  the  bound  variables,  the  missing  part  of  the  inverse  relations  is 

(«.?)<  \J{  A  -rT\Cpu>q}. 

TCC 

Written  this  way,  the  two  postponed  relations  reveal  a  common  structure.  On  the 
left,  there  is  a  finite  meet  of  generators  (u, ,  ?,),  and  the  join  on  the  right  is  quantified 
over  those  C  with  CpUj  >  qt  for  all  i.  Thus,  both  relations  may  be  derived  from  a 
more  general  critical  lemma: 

Lemma  5.1  For  every  infosys  D,  for  every  finite  index  set  I  and  all  families 
(«i)ie/  in  QD  and  in  Qj, 

/\ («,,?.)  <  \/{  A  (TsetS,  £  num  S)  |  C  €  VjD,  CpUj  >  g,  Vi  e  I) 

•€/  see 

holds  in  Fj  =  OFt  [D] . 

Because  of  the  complexity  of  our  proof  of  the  critical  lemma,  we  devote  the  whole 
next  section  to  it.  Summarizing  the  results  of  this  section,  we  have  shown  —  modulo 
a  proof  of  the  critical  lemma  —  the  following  t  heorem: 

Theorem  5.2  For  every  infosys  D,  the  frames  QVjD  and  Q.Vl[D)  are  isomorphic. 

6  Proof  of  the  Critical  Lemma 

In  this  section,  the  critical  lemma  will  be  proved.  The  very  basic  idea  of  the  proof  is 
taken  from  the  proof  of  Lemma  5.3  in  [6]  or  Lemma  8.3  in  [7],  which  state  a  vaguely 
similar  property  involving  points  and  concrete  open  sets.  The  added  difficulty  in  our 
proof  is  due  to  the  fact  that  we  have  to  work  pointless,  because  the  spatiality  of  the 
locale  of  Fj  is  a  priori  unknown.  (A  posteriori,  it  follows  from  Theorem  5.2.) 


6.1  Outline  of  the  Proof 


The  above  mentioned  proof  of  Jones  employs  so-called  crescents,  which  are  set  dif¬ 
ferences  of  two  concrete  open  sets.  To  mimic  this,  we  set  up  a  new  frame  F3  in 
Subsection  6.3  with  generators  (u,v,q),  whose  intended  spatial  meaning  is  the  set  of 
all  ft  with  ft( u  \v)  >  q,  or  ftu  —  ft(u  A  v)  >  q.  With  an  appropriate  choice  of  relations 
for  Fa,  the  obvious  assignment  (u,  q)  ►  (u,0 ,q)  becomes  a  frame  homomorphism 
a  :  Fj  — *  F3. 

Let  the  critical  lemma  be  L  <  R  in  Ft.  The  added  possibilities  of  F3  allow  proving 
o L  <  qR  in  F3  in  vague  analogy  to  Jones’s  proof  of  the  Lemmas  mentioned  above 
(Subsection  6.4).  After  having  managed  this,  we  only  have  to  show  that  a  is  an  order 
embedding;  then  a L  <  aR  in  F3  implies  L  <  R  in  F3. 

By  the  Corollary  in  paragraph  II,  2.6  of  [5,  page  53],  Ft  can  be  embedded  by  a 
frame  homomorphism  ij  into  a  complete  Boolean  algebra  G.  Given  rj  and  G,  we 
are  able  to  define  a  (non-trivial)  frame  homomorphism  0  :  F3  — »  G  with  0  o  a  =■  r) 
(Subsection  6.6).  Then  a  is  an  embedding,  since  tj  is  an  embedding. 

The  remaining  subsections  6.2  and  6.5  introduce  auxiliary  notation  to  master  the 
complexities  of  the  proofs. 

6.2  Real  Valued  Functions  I 

Before  we  present  F3  and  prove  the  or-image  of  the  critical  lemma  in  F3,  we  introduce 
some  pieces  of  auxiliary  notation,  which  allows  for  replacing  complex  join-and-meet 
expressions  by  simple  arithmetically  looking  expressions  with  familiar  laws. 

Let  F  be  an  arbitrary  frame  and  X  the  locale  with  {IX  =  F.  Then  continuous  func¬ 
tions  /  :  X  — »  Rg°  with  values  in  the  positive  reals  (including  0  and  00)  correspond 
to  frame  homomorphisms  G /  :  ORg0  — <■  F.  Analogously  to  the  infosys  Qj  for  I,  an 
infosys  for  RJ°  is  given  by  the  positive  rationals  Qj  (including  0,  but  not  00),  with 
order  '<’  which  is  the  usual  order  ‘C’  plus  the  one  additional  relationship  0  <  0.  Like 
QQq,  the  frame  fiRg0  =  flQg  can  be  presented  by  generators  f?  for  q  in  Qj  and  the 
two  relations  of  rational  zero  and  rational  continuity.  Thus,  frame  homomorphisms 
from  QRo°  to  F  correspond  to  functions  defined  on  the  generators  {9  satisfying  the 
two  relations. 

To  obtain  a  real  notational  benefit,  we  now  forget  about  A',  write  /  for  Qf,  and  q  for 
tq.  Thus,  we  define: 

Definition  6.1  For  every  frame  F ,  let  7 ZF  be  the  set  of  all  functions  /  from  Qj 
to  F  satisfying  the  two  properties 

(1)  /0  =  T; 

(2)  Vr>  j  fr  =  fl  (an^  thus  r  >  q  implies  fr  <  fq). 

A  function  /  is  bounded  iff  there  is  q  with  fq  =  F. 
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We  now  define  several  operations  of  7LF.  For  every  operation,  satisfaction  of  the  two 
conditions  for  TIF  has  to  be  shown.  We  shall  omit  most  of  these  proofs. 

The  members  of  HF  are  ordered  pointwise:  f  <  g  iff  for  all  q,  fq  <  gq  holds.  Obvi¬ 
ously,  if  /  <  g  and  g  is  bounded,  then  /  is  bounded. 

Non-empty  joins  may  be  defined  pointwise:  (V.g/  /*')?  =  V,g/(/>9)- 

The  empty  join  0  or  F  is  given  by  0(0)  =  T  and  0(q)  =  F  for  q  ^  0.  It  is  not  given 

pointwise,  since  0(0)  is  T  instead  of  F. 

Finite  meets  (including  the  empty  meet  T)  are  given  pointwise:  (A .€//•')?  = 
A «€/(/•?)•  With  these  joins  and  meets,  TIF  becomes  a  frame. 

We  define  a  special  member  1  of  71 F  by  1(?)  =  T  for  q  C  1  and  F  otherwise.  In 
spatial  intuitions,  this  corresponds  to  the  function  with  constant  real  value  1.  Thus, 
functions  from  the  locale  of  F  to  I  exactly  correspond  to  those  /  in  71 F  with  /  <  1, 
or  equivalently  / 1  =  F. 

For  two  reals  x  and  y,  x  +  y  >  q  holds  iff  x  >  r  and  y  >  s  for  some  rationals  r  and  s 
with  r  +  8  =  q.  Thus,  we  define 

(/  +  ff)«  =  V  /rA?s 

r,»:r+j=« 

(This  is  the  same  kind  of  expression  as  used  in  the  modularity  relation.)  It  is  easy  to 
show  that  (TIF,  +,  0)  forms  a  commutative  monoid. 

Because  they  are  given  pointwise,  addition  preserves  non-empty  joins:  /  4-  V,g/  9i  = 
V;g/(/  +  Si)-  In  particular,  it  is  continuous  and  thus  monotonic.  By  monotonicity, 
/  =  f  +  0  <  f  +  g  always  holds,  whence  /  V  g  <  f  +  g.  Addition  does  not  preserve 
the  empty  join,  since  /  +  0  =  /  holds  instead  of  /  +  0  =  0. 

Because  of  their  pointwise  nature,  finite  joins  and  non-empty  meets  of  bounded  func¬ 
tions  are  bounded.  Also  the  sum  of  two  bounded  functions  is  bounded:  if  fr0  =  F 
and  gso  =  F,  then  (/  +  y)(ro  +  so)  =  F,  since  r  +  s  =  r*o  +  So  implies  r  □  r0  or  s  3  so- 
The  benefit  of  the  new  notations  becomes  obvious  when  we  consider  the  frame  F 2. 
For  every  u  in  CID,  the  assignment  q  t-*  (u,  q)  for  q  C  1  and  q  F  for  q  □  1  becomes 
a  function  in  71F2  by  the  relations  of  rational  zero  and  rational  continuity.  We  call 
this  function  [«].  Abstracting  out  the  q’s  in  the  generators,  we  reach  at  a  formal 
‘presentation’  of  TtF^  with  ‘generators’  [u]  for  u  in  QD  and  ‘relations’ 

•  Bounded  by  one:  [u]  <  1; 

•  Continuity:  for  directed  families  (u<)ig/,  (Vig/  u«]  =  V,'g/[u>']; 

•  Zero  law:  [0]  =  0; 

•  Modularity:  [uV«]  +  [uA  v]  =  [u]  +  [u). 

We  do  not  claim  that  this  ‘presentation’  presents  anything  directly,  although  it  could 
be  probably  achieved  by  some  more  work,  but  we  consider  it  as  notational  shorthand 
for  our  presentation  of  F?.  Intuitively  and  informally,  [u]  can  be  best  understood 
as  the  size  or  area  of  the  ‘region’  u;  the  relations  above  then  get  a  quite  appealing 
interpretation. 


1 
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6.3  The  Frame  F$ 

We  now  present  the  frame  F3  by  giving  a  ‘presentation’  of  HFy.  it  has  generators 
[u,  t>]  for  every  u,  i>  in  QD,  whose  intuitive  meaning  is  the  size  or  area  of  the  ‘region’ 
u  \  v,  and  relations 
(1)  Bounded  by  one:  [ufv]  <  1; 

(RC)  Restricted  Continuity:  for  directed  families  (u,),e/  and  v  with  v  <  w  for  all  i, 

tVig/ «<>«]  =  Vj6/tu<>t'3; 

(0)  Zero  law:  [0, 0]  =  0; 

(A)  Meet  law:  [u,  t>]  =  [u,  u  A  wj; 

(V)  Join  law:  [u,u]  =  [u  V  »,»]; 

(S)  Split  law:  if  u  >  t>  >  w,  then  [u,  u>]  =  [u,  v]  +  [ti,  ti>]. 

Again,  this  should  not  be  understood  as  an  actual  presentation  of  anything,  but  as 
shorthand  for  a  presentation  of  Fa,  which  results  by  adding  q’s.  Thus,  the  generators 
for  Fa  are  (u ,v,q)  =  [u, «](?),  and  the  split  law  for  instance  becomes:  if  u  >  v  >  w, 
then  for  all  q,  (u,w,q)  =  Vr..:r+.=,(u>v>r}  A  (v,w,s). 

A  frame  homomorphism  a  :  Fa  — ►  Fa  is  specified  by  o(u,  q)  =  {u,  0,  q),  or  in  shorthand 
o[u]  =  [u,  0].  (Actually,  it  should  be  o  o  [u]  =  [ti,  0],  but  we  drop  ‘0’.)  Preservation  of 
the  relations  of  Fa  is  immediate  except  for  modularity.  In  the  sequel,  we  shall  take  the 
relations  for  UFa  as  axioms  and  derive  a  host  of  conclusions,  including  modularity, 
needed  for  the  proof  of  the  a-image  of  the  critical  lemma. 

(C)  Full  Continuity:  for  directed  families  and  arbitrary  v,  [V;g/  ui,  v]  = 

Vie/[“i.  hi¬ 
proof:  Applying  the  join  law  on  both  sides  yields  [V,ej  ui  v  v>  «]  =  V,€/Kv  v,v], 
which  holds  by  restricted  continuity  (RC).  □ 

(Ml)  Monotonicity:  if  u  <  u',  then  [u,  u]  <  [u',  i>]. 

Proof:  Directly  from  full  continuity  (C),  or  from  the  split  law  like  (M2)  below.  P 
(M2)  Anti-Monotonicity:  if  v  <  v‘,  then  [u,  v]  >  [u,  v'j. 

Proof:  [u,  v]  =  [u,  u  A  u]  =  [u,  u  A  v']  +  {u  A  v' ,  u  A  v]  >  [u,  u  A  v')  =  [u,  t/].  □ 

(V')  Extended  join  law:  if  v'  <  v,  then  [u  V  v',  u)  =  [u,  v). 

Mi  Mi  v 

Proof:  [«jv]  <  [uVu'.v]  <  [uV«,ti]  =  [ti,r].  P 

(A')  Extended  meet  law:  if  «'  >  u,  then  [u, «'  A  v]  =  [u,  r]. 

M2  M2 ,  . 

Proof:  [u,  v]  <  [u,  u'Av]  <  [«,#Av]  =  [«,v].  P 

(E)  Extinction:  if  u  <  v,  then  [u,v]  =  0. 

Proof:  [u,  v]  =  [0  V  u,  v]  =  [0,  u]  =  [0, 0]  =  0.  P 
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The  next  property  is  the  a-image  of  modularity. 

(Mod)  [u Vt»,0]  +  [uA v, 0]  =  [u, 0]  +  [t>, 0]. 

Proof; 

[tiVti,0]  +  [tiAc,0]  =  [uVo,#]  +  [ti,0]+[«A»,0] 

ViA  [u,  uAl)]  +  [tiA«,0]  +  [t>,  0] 

4  [u,0]  +  M]  ° 

The  following  properties  are  auxiliary  lemmas  needed  in  the  proof  of  the  a-image  of 
the  critical  lemma.  The  first  statement  shows  how  to  partition  [u,  u]  into  parts  inside 
and  outside  some  w. 

(1)  [«,  ti]  =  [u  A  tn,  u]  +[u,vVtoj. 

Proof:  By  (V)  and  split,  [u,  v]  =  (ti  V  v,  v]  =  [u  V  v,  (tt  A  w)  V  r]  +  [(u  A  w)  V  v,  v].  By 
(V),  the  second  summand  equals  [u  A  w,  n],  By  (V'),  the  first  becomes  [u,  (u  Aui)Vti]. 
By  two  applications  of  (A),  this  equals  [w,  w  V  v].  □ 

Next,  we  generalize  (1)  to  a  finite  number  of  tn’s. 

(2)  If  W  is  a  finite  set  of  opens,  then  [u,  v]  =  ErcH'I"  A  A  T,v  v\/(W  \  T)]. 

Proof:  The  proof  is  performed  by  induction  on  |IV|.  For  W  =  0,  the  sum  just 

equals  [u,«].  For  W  0,  let  tn  be  a  member  of  W  and  W  —  ]V  \  {u>}.  By  (1),  [u,  v] 
is  [u  A  tn,  u]  +  [«,  v  V  in].  By  induction  hypothesis,  we  obtain 

[uAtn,u]  =  53  [uAii»a/\T,»v\/(1 V'\T)] 

TCW> 

Replacing  T  by  T  U  {in} ,  this  becomes 

£  [«A/\7>v\/<w'\r)i 

T.wtTCW 

The  ether  summand  is  treated  similarly: 

[u,  v  V  in]  =  ETCtV'[uAAr.vVt<;V  V(,V'\T)1 

=  Et:«>«tc»v[u  A  A  T,nVV(l  V\T)]  □ 

For  the  actual  proof  of  the  critical  lemma,  we  need  a  slight  variant  of  (2): 

(3)  Let  U  be  a  finite  set  of  opens.  For  all  u  in  U:  [u,0]  =  Er.-uerct/lA^  V(^\^)]- 

Proof:  Apply  (2)  to  [u,0]  with  W  =  U  \  {u}.  □ 

The  next  statement  shows  how  to  transform  a  join  into  a  sum. 

(4)  [u  V  u',  v]  =  [u,  v]  +  [«',  u  V  v]. 

Proof:  Applying(l)  with  w  =  u,  we  obtain  [«Vu\r]  =  [(uVu')Au,  v]  +  [uVu',  vVu]. 
The  first  summand  is  [u,  w],  and  with  (V'),  the  second  becomes  [«',  ti  V  «].  □ 

The  next  step  is  the  generalization  of  (4)  to  arbitrary  finite  joins. 

(5)  fV?=1ui,v]  =  E-=1l^vVV,jZ\uj] 


Proof:  For  n  =  0,  the  equation  is  [0,  t>]  =  0,  which  is  true  by  (E).  For  n  >  0,  we 

compute: 

£?=■>..  *  v  v£l «;] + k,  « v  v;:,1 «,] 

=  N7=i  «i,  w]  +  [«»,» v  v"=il  «>] 

=  CV?-i«i.*]  ° 

The  next  statement  is  another  form  of  modularity. 

(7)  Iftij  >  t>i  and  u2  >  v2,  then  [«i , vi]  +  [u2, v2]  =  [«iVu2,  viVv2]-|-[uiAu2,v1Av2]. 

Proof:  By  (1)  with  w  =  v2,  [ui.vi]  =  [ui  A  v2,vi]  +  [uj.vi  V  t'2]. 

By  (1)  with  w  =  uj,  (u2,  v2]  =  («i  A  u2,v2)  +  [v2,ui  V  v2]. 

We  show  that  the  right  hand  side  can  be  partitioned  into  the  same  four  summands. 
By  (4),  [t/!  V  «2,vi  V  v2]  =  V  *>2]  +  [u2,ui  V  vi  V  t’2]  holds.  By  uj  >  vlt  the 

second  summand  simplifies  to  [u2,  t<i  V  v2]. 

By  (1)  with  w  =  v2,  [«i  A  u2,  t>i  A  v2]  =  [t^  A  u2  A  t>2,  V\  A  t>2]  +  [«i  A  u2,  (v]  A  v2)  V  v2]. 
By  u2  >  «2i  the  first  summand  simplifies  to  [t/j  A  t>2,  iq  A  v2],  which  by  (A')  equals 
[til  Al>2.«>l]-  d 

Our  next  goal  is  to  show  that  the  sum  of  the  areas  of  a  finit  e  number  of  disjoint  regions 
is  bounded  by  the  area  of  a  region  that  covers  them  all.  To  formalize  disjointness 
in  our  framework,  consider  proper  sets.  The  intersection  of  A  \  B  and  A'  \  B'  is 
(A  D  A')  \(JU  £?');  it  is  empty  iff  A  fl  A'  C  B  U  B' . 

(8)  Let  «i,  . . . ,  u„  and  v\,  . . . ,  v„  be  opens  with  u,  Au;  <  v,- V vj  for  i  ^  j  (disjointness 

condition).  Then  v,]  <  fV,n=i 

Proof:  Applying  (A),  we  may  replace  v,  by  Uj  At The  disjoint  ness  condition  then 
still  holds.  Thus,  we  may  assume  without  restriction  u,  >  t’,  for  all  i. 

Before  proving  the  statement  by  induction  on  n,  we  consider  the  effect  of  one  applica¬ 
tion  of  (7)  from  left  to  right  to  two  summands  of  ]T)[U> .  v,]  •  By  simple  computations,  it 
can  be  checked  that  such  a  rewriting  st  ep  keeps  the  number  of  summands  and  the  join 
V  «,■  invariant,  and  preserves  the  conditions  u,-  >  r,  and  the  disjointness  condition. 

For  n  =  0,  0  <  [0,0]  holds.  For  the  case  of  n  +  1,  consider  [«o>  vo]  +  [«i,  vi]  + - 1- 

[un,  v„].  We  rewrite  this  expression  n  times  by  (7),  going  from  left  to  right: 

[«o,  vo]  +  [t*i ,  t>i]  +  •  •  •  +  [u„ ,  v„] 

=  [«o  A  «i,  v0  A  t?i]  +  [u0  V«i,v0V  tq]  +  [u2,  v2]  + - 1-  [u„,  v„] 

=  [tt0  A  u t,  Vo  A  vi]  +  [(uo  V  ui)  A  «2,  (vo  V  vi)  A  v2] 

+  [u0  V  Ui  V  U2,  Vo  V  Vi  V  v2]  -1-  [u3,  v3] +  •  •  -  +  [u„,  vn] 

The  final  outcome  is  ^"_1[u|-,v,']+[u,v],  where  uj  =  (V}=o  ui )A«< .  v,'  =  (Vj  =o  Vj)AVj, 
u  =  V?=o  >  an<^  v  =  Vf=o  vt-  As  indicated  above,  the  rewriting  steps  preserve  the 
disjointness  condition.  Thus,  the  induction  hypothesis  may  be  used  to  show  that 


the  sum  is  bounded  by  [u,  r]  +  [V"=i  v'i<  0]-  Using  the  disjointness  condition,  we  may 

compute: 

i-l  i-1 

=  V  (Uj  A  u.)  <  \/(vj  V  Vi)  <  v 

J=0  j= 0 

Thus, 

[w,  v]  +  [\/  u<-°]  ^  [“. *']  +  [». 0]  =  [u,0] 

i=l 

which  is  the  required  result.  Q 

Next,  we  proof  that  summands  as  occurring  in  (3)  satisfy  the  disjointness  condition 
of  (8). 

(9)  Let  U  be  a  finite  set  of  opens,  and  let  T  vary  over  the  subsets  of  U .  The  families 

uT  =  f\T  and  vT  =  \/(U  \  T)  satisfy  the  disjointness  condition  of  (8). 

Proof:  If  T  ^  T' ,  then  without  restriction,  there  is  u  in  T  with  u  not  in  T' .  Then 

utAut'<A  T  <  u  <\/(U  \V)  <  vT  V  vT' .  □ 

For  the  last  auxiliary  statement,  opens  have  to  be  considered  as  token  sets,  to  which 
set  difference  and  subset  relation  can  be  applied. 

(10)  [u,  u]  =  VrCyjnt«\JT^’.  this  Join  is  directed. 

Proof:  The  join  is  directed  by  monotonicity  of  ‘f.  Thus,  continuity  (C)  can  be 

applied,  and  we  have  to  show  [u,t>]  =  [Vpc^nu\u  TF,  fj.  The  relation  *>’  directly 
follows  from  monotonicity  (Ml).  For  we  show  u  <  v  V  Vfcfinu\v  t-F,  and  then 
apply  (Ml)  and  (V).  Let  a  be  in  u.  If  a  is  in  v,  we  are  done.  Otherwise,  let  a  >  b  E  u. 
Token  6  is  not  in  v,  since  a  is  not  in  v.  Thus,  a  is  in  t{6}  where  {6}  C  u  \  v.  □ 

For  the  application  of  the  statements  above,  it  is  useful  to  note  how  statements 
involving  sums  may  be  turned  into  statements  involving  meets.  If  /i,  ...,  fn  are 
functions  in  7 ZF  for  some  frame  F  and  we  know  £”_,/)  <  9,  then  A<*=i  /»9»  5: 
IlCCr=i  9»)  follows,  since  the  meet  on  the  left  is  just  one  join  component  of  the 
expanded  form  of  (£,  /<)(£,•  9.)- 

6.4  The  Critical  Lemma  in  the  Frame  F3 

With  the  auxiliary  statements  collected  in  the  previous  subsection,  we  are  now  able 
to  prove  the  a-imageof  the  critical  lemma.  The  statement  to  be  shown  is: 

A (u«>0.9<)  <  \/{  A  (TsetS.O,  Enum5)  |  '4  €  VjD ,  Apm  >  9,  Vi  G  /} 

«€/  SCA 

for  finite  families  uj,  . . . ,  vn  and  qx,  . . . ,  qn. 

For  n  =  0,  the  statement  holds,  since  A  =  0  is  then  involved  in  the  join  on  the  right, 

and  AsciCTsetS.O.^numS)  =  T. 
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For  n  ^  0,  our  strategy  is  to  break  up  the  left  hand  side  into  a  huge  join,  and 
then  show  that  every  component  of  this  join  is  below  the  right  hand  side.  Without 
restriction,  we  may  assume  that  the  u<  are  pairwise  different;  for  the  left,  this  is  since 
(u,0,q)  A  (tt,0,q')  =  {u,0,q\J  q'),  and  on  the  right,  since  Apu  >  q  and  Apu  >  q'  iff 
Apt i  >  flUg'.  Thus,  we  may  assume  in  the  sequel  that  the  index  set  I  coincides  with 

{«1»  •  •  «n}- 

By  rational  continuity,  (u,-,0,9<)  is  join  of  (u,, 0,  ?')  with  q[  >  qt.  Applying  (3)  to 
(u,-, 0, qi),  we  see  that  this  generator  is  a  join  of  components  At:HTCi(uT  >  vT<qT)’ 
where  ttT  =  A jeTui  an^  yT  =  Vjg/\r  ui<  an<^  fi,e  numbers  (qj)r-.  izrci  are  some 
numbers  with  Ylr.ieTCJ  $  =  Qi  >  9<- 

By  the  step  just  performed,  the  left  hand  side  is  a  meet  of  joins  of  meets.  Applying 
distributivity,  it  can  be  rewritten  into  a  join  of  more  meets.  For  a  fixed  TCI, 
the  meet  of  all  { uT,vT,qf )  with  i  in  T  can  be  contracted  into  {uT  ,vT  ,qT),  where 
qT  =  maxi£T  qT ■  Thus,  we  reach  at  ajoinof  components  At:«^tc/(uT'  vT >  ?T)  with 
uT  and  vT  as  above,  and  some  numbers  qT  such  that  for  all  i  in  I.  ,6tc/  1T  >  I'¬ 
ll  we  index  something  over  T  in  the  sequel,  this  should  be  always  understood  as 
indexed  over  {T  |  0  £  T  C  /}. 

There  are  two  kinds  of  components  A t(u7\  t,T ,  qT)‘-  those  with  q  :=  Y2t  <  1  and 
those  with  q  >  1.  We  treat  the  latter  first.  The  component  Ar(u7',  t,r>  1T)  *s  just 
one  join  component  of  (X2t[uT>  vT])(9)-  By  (9),  the  opens  vT  and  vT  satisfy  the 
disjointness  condition  of  (8),  whence  t>T])(fl)  is  below  [Yr  uT,  0](g).  If  q  >  1, 

the  latter  is  F  by  the  ‘below  1’  condition  of  HF3.  Thus,  components  Ar  (uT> vT >  1T) 
with  1T  —  ^  equal  F  and  deserve  no  further  attention. 

Using  (10),  the  remaining  components  Ar(uT>  yT ’  ?r)  can  he  written  as  a  join  of 
Ar(TF’T,  vT,qT),  where  FT  is  some  finite  subset  of  uT\vT .  Let  FT  =  {a]’,  . . . ,  a^r  } . 
Using  (5),  we  can  write  Ar(t FT ,  vT ,  qT)  as  a  join  of  components 
mT  j  —  1 

A  A  ^aJ’  V  v  vT '  rJ)  for  some  numbers  rj  with  YljLi  rJ  =  9r  - 

T  i=i  4=1 

For  every  such  component  2,  we  shall  now  construct  a  power  token  A  with  two 
properties:  it  is  in  the  set  on  the  right  of  the  crit  ical  lemma,  and  the  join  component  2 
is  below  A5c,i(TsetS,0,£>umS).  We  define  A  =  Hr{|(rf,  aj),  ...,  (rjlT,  a£r)[}. 
This  is  a  legal  power  token  since  J2t  rJ  =  Hr  ?T  <  1. 

First,  we  verify  Apu,  >  qi  for  every  i  in  I.  We  may  compute  .4Pu,  =  ^{|rj  |  aj  6  u;[} . 
We  know  aj  £  FT  C  uT  =  A/gr  u>  —  M»  if  *  is  in  T.  Thus,  i  in  T  implies  aj  in  u;, 
whence  ApUi  >  £{|rJ  I  •  €  T j  =  Erg,-  1T  >  U 
Second,  we  have  to  show  < 

mT  j  —  1 

AA<K?-  V  *a*  V  vT’rJ )  ^  A  (TsetS,0,X>umS) 

T  j= 1  4=1  SC^ 
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Let  5  be  a  fixed  subbag  of  A.  For  every  T,  let  ST  be  the  part  of  S  consisting  of  pairs 
(rj,  af)  only.  Then  we  obtain  with  (M2): 

A  A -  V  #a*  v  vT'rJ)  ^  A  A  V  v  t,T- rJ) 

T  j  =  l  i  =  l  T  jeST  t eST,k<j 

By  (5),  the  latter  is  below  ^T(|set5T,t;T,52num57').  It  remains  to  show  that 
this  is  below  (fsetS, 0, £numS).  This  is  true  by  (8),  since  the  opens  TsetS7,  C 
uT  and  vT  satisfy  the  disjointness  condition  by  (9),  and  \JT  |set  ST  =  fsetS  and 
!Ct  1C  num  ^  =  5Z  num  $  hold- 
This  concludes  the  proof  of  the  critical  lemma  in  F3. 

6.5  Real  Valued  Functions  II 

As  announced  in  Subsection  6.1,  we  want  to  construct  a  frame  homomorphism  (3  : 
F3-*  G  for  complete  Boolean  algebras  with  ij  :  F3  —  G  such  that  0  o  a  =  rj.  Before 
we  do  so,  we  investigate  which  additional  properties  the  ‘real  valued  functions’  TIG 
have  if  G  is  not  just  a  frame,  but  a  complete  Boolean  algebra.  We  shall  show  that 
the  cBa  structure  allows  defining  a  partial  operation  of  subtraction  on  TIG. 

Given  two  positive  reals  a:  and  y  with  x  □  y  and  a  positive  rational  q  (all  possibly 
being  0),  when  is  x  —  y  >  q?  If  q  =  0,  the  answer  is  always,  because  our  order  even 
satisfies  0  <  0.  For  q  ^  0,  x  —  y  >  q  iff  there  is  r  >  q  with  x  >  r  3  q  +  y.  With 
s  =  r  —  q,  this  is  equivalent  to.  there  is  s  0  with  x  >  q  +  s  and  y  C  s,  i.e.,  not 
y  >  s.  In  this  existential  statement,  the  case  s  =  0  may  be  included  without  harm 
since  ‘not  y  >  0’  is  always  false. 

This  derivation  motivates  the  following  definit  ion  of  subtraction  in  TIG  for  a  complete 
Boolean  algebra  G: 

Definition  6.2  For  /,  g  in  7 ZG  with  f  >  g,  let 

(/  ff)(?)  |  f(q  +  s)  A  -></s  if  q  ^  0 

The  first  thing  to  verify  is  that  f  —  g  is  a  legal  member  of  7 ZG.  The  condition 
(/  —  fl)(0)  =  T  is  part  of  the  definition,  and  V?<>?(/  ~  —  (f  ~  9)(t)  holds  for 

q  qt  0,  since  the  argument  q  occurs  positively  in  the  definition  of  /  —  g. 

In  the  sequel,  we  state  and  prove  some  properties  of  subtraction. 

SO:  *— ’  preserves  non-empty  joins  in  its  first  argument  (but  not  in  the  second);  thus, 
in  particular  it  is  continuous  there. 

Proof:  Non-empty  joins  are  given  pointwise,  and  /  occurs  positively  in  the 

definition.  □ 


SI:  For  all  /,  /  -  0  =  /. 


Proof:  For  g  0,  (/  —  0)(^)  =  V,  /(?  +  *)  A ->0(«)  =  V,»so  /(«  +  *)  =  /?  by  rational 
continuity.  □ 

S2:  For  all  /,/-/  =  0. 

Proof:  For  q  £  0,  (/  —  f)(q)  =  Vj  /(?  +  «)  A  ->/s.  By  g  +  s  3  s,  this  is  below 
V,  /*  A  ->/s  =  F.  D 

The  next  statement  prepares  the  following  mixed  associativity  law. 

S3:  If  g  >  h  and  h  is  bounded,  then  (/  +  g)  —  h  >  f. 

Proof:  For  q  0,  we  obtain 

((/  +  9)-  h)(?)  =  V  fqi  A  992  A  ->hs 

We  have  to  show  that  this  is  above  fq  =  \/r>1fr.  For  fixed  r  >  q,  consider  fr. 
Fixing  91  =  r,  we  obtain 

((/  +  9)~  /»)(?)  >  /r  A  \/  992  A  -hs 

•,Wr+l3=1+> 

We  show  that  the  big  join  in  this  expression  equals  T.  With  d  =  r  —  q,  it  becomes 
Vy,  992  A  ->A(92  +  d).  Using  g  >  h  and  restricting  to  multiples  of  d,  the  latter  join  is 
above  Vn€N0  '  <0  A  -*A((n  +  1)  •  d).  Since  h  is  bounded  and  d  3  0,  there  is  some 
m  with  A((m  -f  1)  •  d)  =  F.  Thus,  the  join  equals  (T  A  ~^hd)  V  (hd  A  ->h(2d))  V  ■  •  •  V 
(h(m  ■  d)  A  ->F),  which  can  be  contracted  to  T.  Q 

The  next  statement  is  the  important  mixed  associativity  law. 

S4:  If  g  >  h  and  h  is  bounded,  then  /  +  (9  —  h)  =  (/  +  9)  —  h. 

Proof:  For  g  ^  0,  we  have  (/  +  (9  -  *))(?)  =  V„+,3=,  fh  A  (9  -  h)(q2).  Here, 

we  must  single  out  the  case  q2  =  0,  i.e.,  qi  =  q.  It  yields  a  single  join  component  fq. 
Thus, 

Lq  =  fq  V  V  /gj  A  9(92  +  s)  A  — >/»s 

The  right  hand  side  yields 

ftg=  V  /g'j  A  993  A->hs 

For  Lg  <  i£g,  fq  <  Rq  holds  by  (S3).  The  remaining  part  of  Lq  is  below  Rq,  as  can 
be  seen  by  letting  q\  =  91  and  q2  =  q2  +  s.  For  Rq  <  Lq,  we  have  to  differentiate  two 
cases.  The  ^-components  with  q2  D  s  are  below  Lq,  as  can  be  seen  by  letting  91  =  q[ 
and  92  =  92  —  s.  If  92  C  s,  then  q[  3  9,  whence  fq\  A  gq'2  A  -<hs  <  fq[  <  fq  <  Lq.  □ 

The  next  two  statements  show  that  subtraction  inverts  addition. 

S5:  If  9  is  bounded,  then  (/  +  9)  —  9  =  /■ 

Proof:  By  (S4),  (/  + 9)  -  9  = /  + {9  -  9),  which  is  /  by  (S2).  □ 

S6:  If  /  >  9  and  9  is  bounded,  then  (/  —  9)  -(-  9  =  /,  and  thus  /  >  /  —  9. 
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Proof:  By  (S4)  and  commutativity  of  addition,  (/  -  g)  +  9  —  (/  +  9)  ~  9>  which 
equals  /  by  (S5).  D 

S7:  If  /  >  g  >  h  and  g  is  bounded,  then  (/  —  g)  +  (g  —  h)  =  f  —  h. 

Proof:  Since  g  is  bounded,  h  is  bounded,  too,  and  by  (S6),  g  —  h  is  also  bounded. 
By  (S4),  (/  -  g)  +  (g  -  h)  =  ((/  -  g)  +  g)  -  h,  which  by  (S6)  equals  f  -  h.  □ 

S8:  Let  /  >  /',  g  >  g',  and  /',  g'  be  bounded.  Then  /-/'  =  g-g'  iff  f+91  =  f'+9- 
Proof:  Add  /  subtract  /'  and  g‘  and  apply  (S4),  (S5),  and  (S6).  D 

6.6  A  Frame  Homomorphism  from  F3  to  G 

Now  we  come  to  the  final  step  of  the  proof  of  the  critical  lemma:  given  a  frame 
embedding  f]  from  F2  to  a  complete  Boolean  algebra  G,  define  a  frame  homomorphism 
0  ;  f3  -*  G  with  0oa  =  tj.  According  to  the  spatial  intuition  that  (u,v,q)  be  the 
set  of  evaluations  /i  with  /i(u  \  t>)  >  q,  or  pu  —  fi(u  A  t>)  >  q,  we  define  0(u,  v,  q)  = 
(ijo[u]-i)o[uA  u])9  using  the  difference  operator  of  the  previous  subsection. 

In  the  sequel,  we  shall  not  explicitly  write  down  q,  and  abstract  out  the  9-argument. 
Thus,  we  obtain  the  concise  definition  0[u,  t>]  =  [u]  —  [u  A  r] .  We  have  to  show  0oa  =  r? 
and  the  preservation  of  the  relations  of  F3  by  0.  In  doing  so,  we  may  use  all  properties 
of  subtraction,  since  all  the  functions  [u]  are  bounded:  [u](l)  =  F. 

For  the  composition,  we  compute  $(<*[«])  =  0[v,  0]  =  [u]  -  [u  A  0].  By  the  zero  law  of 
F2,  [u  A  0]  =  [0]  =  0,  and  by  (SI),  [u]  -  0  =  [u]  holds.  Since  this  actually  stands  for 
q  o  [u],  we  have  shown  0  oa  —  rj. 

For  restricted  continuity,  let  (u,  ),e/  be  a  directed  family  of  opens,  and  t;  an  open  with 
Ui  >  v  for  all  i.  We  have  to  show  /?[V,e/  **,• ,  v]  =  Vie/  or 

[\/  U»1  -  [\/  u< A  =  V(N  -  K  A  v])- 

«€/  •€/  «€/ 

By  the  condition  u i  >  v,  this  simplifies  to  [Vie/  U,J  —  M  ~  Vie/(tu’l  —  H)>  which  is 
a  valid  statement  by  the  continuity  relation  in  F*  and  the  continuity  of  subtraction 
in  its  first  argument. 

The  zero  relation  [0, 0]  =  0  becomes  [0]  -  [0  A  0]  =  0,  which  is  true  since  [0]  =  0  by 
the  zero  relation  of  F2,  and  0  —  0  =  0  by  (SI)  or  (S2). 

The  meet  relation  [u,  v]  =  [u,  u  A  v]  becomes  [«]  —  [«  A  v]  =  [u]  —  [u  A  (u  A  w)],  which 
is  obviously  true. 

The  join  relation  [u,  »]  =  [«V  v,  v)  translates  into  [u]  —  [u  A  v]  =  [u  V  t<]  —  [f).  By  (S8), 
this  is  equivalent  to  [«]  +  [v]  =  [u  V  v]  +  [u  A  v],  which  is  just  the  modularity  relation 
ofF2. 

Finally,  the  split  relation  states  [u,u>]  =  [w,  v]  +  [t^,  tt’j  if  u  >  v  >  w.  By  0,  this 
becomes  [uj  -  [w]  =  ([«]  -  [u])  +  ([«;]  -  («-J)  —  a  valid  statement  by  (S7). 


7  Conclusion  and  Future  Work 


In  [6,  7],  a  probabilistic  power  construction  Pd  is  defined  for  dcpo’s.  In  this  paper,  we 
define  a  construction  Pj  for  infosyses  in  the  sense  of  Vickers  [12],  and  a  construction 
Pi  for  locales,  and  prove  that  Pd,  Pi,  and  Pi  are  equivalent  when  restricted  to 
continuous  domains.  In  particular,  the  infosys  construction  is  effective:  given  a 
countable  infosys  D  with  decidable  order,  the  power  infosys  PjD  is  again  countable 
with  decidable  order. 

The  dcpo  construction  Pd  is  part  of  a  monad  on  dcpo’s,  as  shown  in  [6].  One  might 
also  wish  to  make  Pj  and  Pi  into  monads  with  operations  equivalent  to  those  of 
Jones.  This  is  a  non-trivial  task,  since  Jones’s  definition  of  the  multiplication  of 
the  monad  Pd  involves  Lebesgue  integration  (of  Scott  continuous  functions  w.r.t. 
continuous  evaluations).  For  Pi,  we  were  already  successful  in  defining  the  monad 
operations,  but  this  a  topic  for  a  different  paper. 

Another  interesting  problem  is  to  work  out.  the  theory  of  ‘R^ -frames’  that  may  hide 
behind  the  auxiliary  notations  of  Subsection  6.2.  With  a  proper  axiomatization  of 
R§°  -frames  or  of  I-frames,  one  would  obtain  a  theory  of  locales  that  does  not  rely  on 
the  Sierpinski  space  2  as  usual,  but  on  the  positive  reals  or  the  unit  interval  I. 
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Abstract.  We  study  the  symmetric  monoid&l  closed  category  LIN  of 
linear  domains.  Its  objects  are  inverse  limits  of  finite,  bounded  com¬ 
plete  posets  with  respect  to  projection-embedding  pairs  preserving  all 
suprema.  The  full  reflective  subcategory  LL  of  linear  lattices  is  a  de- 
notational  model  of  linear  logic;  the  negation  is  A  ►—  Aop  and  !(A)  is 
the  lattice  of  all  Scott-closed  sets  of  A.  The  Scott-continuous  function 
space  [A  — *  B]  models  intuitionistic  implication .  Prime-algebraic  lattices 
are  linear  and  p  equals  ®  for  these  lattices;  in  general,  p  /  0  in  LL. 
Distributive,  linear  domains  are  exactly  the  prime- algebraic  ones. 


1  Introduction 

One  of  the  most  frequently  used  cartesian  closed  categories  in  Denotational 
Semantics  is  that  of  Scott-domains  and  Scott-continuous  maps  [22].  If  A  and  B 
are  Scott-domains,  then  the  exponential  object  [A  —  B]  is  the  Scott-domain  of 
all  Scott-continuous  functions  /:  A  — *■  B.  ordered  pointwise.  The  product  ALB 
is  the  order-theoretic  product  of  A  and  B  and  curry  and  apply  are  defined  as  in 
the  cartesian  closed  category  SET  of  sets  and  (total)  functions. 

In  [8],  we  find  a  finer  universe  of  types  which  can  be  used  to  build  up  a 
cartesian  closed  category:  the  symmetric  monoidal  closed  category  of  coherence 
spaces  with  stable  maps  in  the  stable  order  is  a  denotational  semantics  of  linear 
logic  equipped  with  linear  types.  Such  types  are  finer  than  exponentiation  and 
product  in  the  sense  that  they  decompose  the  exponential  object  into  !(A '  -o  B- 
Intuitively,  /  G  A-oB  is  the  denotation  of  a  proof  that  'A  implies  B '  such 
that  the  proof  uses  the  hypothesis  A  only  once.  The  construct  !(A)  allows  us  to 
use  A  finitely  many  times,  so  g  £  1(A)— °B  is  the  denotation  of  a  proof  of  the 
intuitionistic  implication  ‘A  implies  B'. 

The  goal  of  this  paper  is  to  specify  a  symmetric  monoidal  closed  category 
of  Scott-domains  LIN  with  an  internal  horn  — o  and  a  modality  !()  such  that 
!(A)-oJ3  is  isomorphic  to  the  function  space  [A  — * •  B]  of  all  Scott-continuous 
maps,  ordered  pointwise.  We  will  also  obtain  the  other  linear  types:  a  dualizing 
object  i_,  a  contravariant  functor  ()x  on  LIN  modeling  negation,  a  tensor  product 
<8>  modeling  parallel  conjunction  and  its  De  Morgan  dual  p;  further,  we  will  have 
the  De  Morgan  dual  ?()  of  !()  and  the  additive  operations  0  and  &. 

Intuitively,  the  objects  of  such  a  category  should  encompass  all  finite  Scott- 
domains  and  this  category  should  be  closed  under  inverse  limits  of  projection¬ 
embedding  pairs. 


As  a  methodological  strategy,  we  will  take  on  this  task  in  the  wider  universe 
of  bounded  complete  domains  [14].  For  these  objects,  we  will  specify  the  required 
morphisms  and  type  constructors  and  we  are  ‘only’  left  with  the  problem  of 
finding  a  universe  of  Scott-domains  in  which  algebraicity  is  preserved  by  all 
linear  types;  note  that  a  bounded  complete  domain  is  a  Scott-domain  iff  it  is 
algebraic  [15]. 

Assuming  that  we  have  already  constructed  this  category  of  bounded  com¬ 
plete  domains,  there  are  at  least  three  conceptual  questions  to  ask: 

—  Is  algebraicity  preserved  under  all  the  linear  type  constructors, 

—  and  if  not,  are  there  at  least  subcategories  of  Scott-domains  which  are  closed 
under  all  linear  types  and 

—  do  we  have  maximal  such  categories? 

In  [14],  a  similar  project  has  been  successfully  completed  in  the  distributive 
setting.  There,  we  studied  the  category  BC  of  bounded  complete  domains  with 
maps  preserving  all  suprema.  The  full  subcategory  of  prime-algebraic  domains 
[27,  29]  PRIME  C  BC  is  such  that 

—  every  object  in  PRIME  is  distributive  and  algebraic, 

—  PRIME  is  closed  under  the  linear  types  in  [14]  and 

—  if  C  is  a  full  subcategory  of  BC  closed  under  the  negation  ()A  such  that 
every  object  in  C  is  distributive  and  algebraic,  then  C  is  a  full  subcategory 
of  PRIME  [14,  Theorem  3.5]. 

The  full  subcategory  PAL  C  PRIME  of  prime-algebratc  lattices  is  a  degen¬ 
erate  model  of  linear  logic  as  we  have  0  p  in  PAL  [14,  Proposition  5.9].  Thus, 
we  could  add  two  further  specifications  for  the  category  LIN. 

—  Every  prime-algebraic  domain  should  be  linear  and  ®  and  p  should  be  dif¬ 
ferent  type  operations  in  LIN. 

The  fundamental  questions  in  the  ‘design’  of  such  a  category  are 

—  what  is  the  Scott-domain  X  and 

—  how  can  we  characterize  the  Scott-domain  A—°B  in  terms  of  set-theoretic 
functions  /:  A  —*  B! 

These  questions  will  be  dealt  with  first.  By  definition,  X  will  have  to  be 
a  Scott-domain.  If  X  =  {*}  is  a  singleton  domain,  then  A1  =  A— oX  could 
only  be  X  again  if  the  category  LL  is  concrete,  i.e.  if  morphisms  in  LL (A,  B) 
correspond  to  set-theoretic  functions  /:  A  — <•  B.  But  then  A11  9?  Xx  —  X 
demonstrates  the  impossibility  of  having  ()A  as  an  involution  on  Scott-domains 
other  than  X.  If  X  has  at  least  two  elements,  it  is  easily  seen  that  the  cardinality 
of  [[A  — ♦  X]  — *  X]  exceeds  that  of  A  for  all  non-trivial,  finite  Scott-domains 
A.  So  while  X  :=  {0  <  1}  seems  to  be  the  only  reasonable  candidate  for  a 
dualizing  object  in  LIN,  the  cardinality  problem  persists  since  X  has  more  than 
one  element. 
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The  mismatch  in  size  stems  from  allowing  all  Scott-continuous  functions 
/  €  [A  — *  -L].  Note  that  [A  — *  _L]  is  nothing  but  an  isomorphic  copy  of  the  lattice 
of  Scott-open  sets  <r(A)  [7,  15],  and  there  are  simply  more  Scott-open  sets  of  A 
than  there  are  points  a  €  A.  What  we  need  is  that  every  set  /-1(0),  /  G  A-°L, 
is  Scott-closed  and  corresponds  to  a  point  in  A.  To  show  /“ 1  (0)  =  |  (a)  for  some 
a  €  A,  we  need  that  /-1(0)  is  bounded  in  A  and  that  then  /-1(0)  has  a  maximal 
element.  For  a  Scott-domain  with  top,  this  is  guaranteed  if  f:A  — *  X  preserves 
all  suprema. 

Alternatively,  we  are  lead  to  the  same  choice  of  morphisms  if  we  consider  the 
desired  isomorphism  [A  — *  £]  —  \(A)—°B  for  Scott-domains  A  and  B  assuming 
that  B  has  a  top.  If  pi(A)  denotes  the  lower  power  domain  of  A  [12]  (which  has 
a  topological  representation  as  the  lattice  of  all  non-empty  Scott-closed  subsets 
of  A,  ordered  by  inclusion),  then  rjA  :=  Aa.i^a):  A  —*  pi(A)  is  Scott-continuous 
and  is  universal  in  the  following  sense:  for  all  /  G  [A  —  B],  there  exists  a  unique 
f  :pi(A)  —*  B  preserving  all  non-empty  suprema  such  that  f  or\A  —  f.  If  !(.4) 
denotes  the  lattice  of  all  Scott-closed  subsets  of  A.  ordered  by  inclusion,  then 
there  exists  a  unique /:  !(A)  — *  B  preserving  all  suprema  with  f°vpfiiii)orlA  =  /, 

for  /  has  to  map  0  to  0B  and  behaves  like  /  otherwise:  n .p  (:  p;(.4)  —  !(.4)  is 

the  natural  inclusion. 

This  discussion  not  only  strengthens  the  justification  for  the  choice  of  A—oB 
as  the  space  of  functions  preserving  all  suprema.  ordered  point  wise,  it  also  sug¬ 
gests  the  mathematical  nature  of  !(A)  as  the  lifted  lower  power  domain  of  A. 
We  briefly  review  the  linear  types  for  bounded  complete  domains  as  presented 

in  [14]. 

Definition  1  A  set-theoretic  function  f  :A—*B  between  bounded  complete  do¬ 
mains  A  and  B  preserves  all  suprema  iff  for  all  X  C  .4  bounded  in  A,  the  set 
f(X)  C  B  is  bounded  in  B  and  f(\JAX)  =  Ue/( A  ).  Let  A—oB  denote  the  poset 
of  all  maps  f:A—*B  preserving  all  suprema,  ordered  in  the  pointwise  order: 

/  Q  9  iff  f(a)  C  g(a)  for  all  a  G  .4.  (1) 

Define 

Ax  :=  .4— o_L.  (2) 

Let  BC  be  the  category  with  all  bounded  complete  domains  as  objects  and  maps 
preserving  all  suprema  as  morphisms.  Let  SCOTT  denote  the  full  sitbcaiegory  of 
BC  which  has  all  Scott-domains  as  objects.  Let  SUP  be  the  full  subcategory  of 
BC  which  has  as  objects  all  complete  (sup)lattices.  □ 

Let  us  point  out  that  — o  and  [  — ►  ]  are  well-defined  operations  on  ob(5C). 

Lemma  1  Let  A  and  B  be  objects  in  BC.  Then  A-oB  and  [.4  —  B]  are  objects 
in  BC,  and  the  supremum  operation  in  A—°B  and  [A  —  B]  is  the  pointwise  one. 
In  particular,  the  inclusion  map  A-oB  <—  [A  —  B]  preserves  all  suprema.  □ 
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The  tensor  product  ®  is  uniquely  determined  up  to  isomorphism  if 

A®B—CSiA—(B—C)  (3) 

is  a  natural  isomorphism  in  BC;  this  is  a  consequence  of  basic  category  theory 
[16].  We  want  to  motivate  the  tensor  product  by  a  universal  property  which 
appeals  to  our  thinking  in  terms  of  functional  programming.  For  objects  A,  B 
and  C  in  BC,  we  can  consider  A-o(B-*C)  as  a  subset  of  ( CB )  as  BC  is  a 
concrete  [2]  category.  The  category  SET  of  sets  and  set-theoretic  functions  is 
cartesian  closed  [16]  and  the  functions 

curry:  CAxB  —>  (CB)A ,  curry  :=  Xf.Xa.Xb.f(a,b)  (4) 

uncurry:  (Cb)A  — *  CAxB,  uncurry  :=  Xg.X(a,b).g(a)(b) 

are  mutually  inverse  bijections.  This  provides  us  with  the  concept  of  bilinearity 
if  we  characterize  the  set  uneurvy(A-o(B-°C))  in  CAxB . 

Definition  2  For  objects  A,  B  and  C  in  BC,  a  set-theoretic  function  f  of  type 
f:AxB—>C  is  bilinear  iff 

Va  €  A  :  Xb.f(a,b):  B  —  C  is  linear  (5) 

V6  &  B  :  Xa.f(a,b):  A  —  C  is  linear. 

We  denote  by  Bil(A  x  B,  C)  the  domain  of  all  bilinear  functions  f:AxB—*C 
in  the  pointwise  order.  □ 

Note  that  Bil(A  x  B,C)  is  indeed  an  object  in  BC  and  that  a  bilinear  map 
f  :  Ay  B  — *  C  need  not  be  a  morphism  in  BC.  nor  is  a  map  g  €  A  x  B—oC  bilinear 
in  general  [14].  If  we  restrict  the  maps  curry  and  uncurry  to  Bil(A  x  B,  C) 
and  A— o(B-°C),  we  get  a  natural  order-isomorphism  between  Bil(A  x  B,  C) 
and  A-o(B-oC)  [14,  Lemma  2.6].  Therefore,  we  obtain  the  natural  isomorphism 
A  ®  B—oC  =  A-o(B-oC)  by  showing 

Bil(A  x  B,  C)  2  .4  ©  B-«C.  (6) 

For  that,  it  is  sufficient  to  have  a  domain  A  ®  B  in  BC  and  a  bilinear  map 
®:  A  y  B  — *  A®  B  which  is  universal  among  all  bilinear  maps  of  type  f:Ay 
B  — *  C:  for  all  such  /,  there  exists  a  unique  map  /:  A®  B  —■  C  preserving  all 
suprema  such  that  f  o®  —  f.  The  isomorphism  is  then  verified  by  sending  /  to 
/  [14,  Theorem  2.9].  This  situation  is  quite  common  in  a  category  with  universal 
bimorphisms  [3]. 

To  construct  the  domain  A  ©  B  and  the  bilinear  map  ©:  A  x  B  A  ®  B, 
let  A  be  the  domain  A  \  {0^}  for  an  object  .4  in  BC'.  Note  that  A  is  not  an 
object  in  BC  in  general. 
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For  a  poset  P,  let  Lj(P)  be  the  domain  of  all  lower  sets  L  C  P  such  that  L 
is  bounded  in  P.  Then, 

A*  B  :=  Lh(A+  x  B+)  (7) 

can  be  shown  to  be  an  object  in  BC  [14,  Lemma  2.8].  But  A  *  B  is  not  a  tensor 
product  since 

(a,  b)  •-*.  j^+  (a)  x  iB+  (6):  A  x  B  — *  A  *  B  (8) 

is  not  a  bilinear  map.  Therefore,  we  have  to  consider  A®  B,  the  domain  of  all 
T  C  A*  B  satisfying  the  following  condition: 

V0  #  X  x  Y  C  T  bounded  in  A  *  B  :  (UX,  LIT)  €  T.  (9) 

The  domain  A  ®  B  is  an  object  in  BC  [14,  Lemma  2.8]  and  the  map  ®:Ax 
B  —*  A®  B  defined  by 

\{a,b).  if  (a  =  0A  or  b  =  0B)  then  0  else  \({a,b))  (10) 

is  a  universal  bilinear  map  with  A  x  B  as  a  source  [14,  Theorem  2.9]. 

The  unary  operation  ()-*-  is  not  quite  an  involution  on  objects  in  BC.  This 
is  the  very  reason  why  we  had  to  construct  Q  explicitly ;  otherwise,  A  ©  B  25 
(^4— «BX)X  would  follow  from  the  general  theory  of  ^-autonomous  categories  [4] 
and  could  be  viewed  as  a  definition  of  ©. 

The  forgetful  functor  SUP  — »  BC  has  a  left  adjoint  where  Xa.Xf.f(a):  A  — > 
AXJ-  is  the  front  adjunction.  In  particular,  we  have  A1  =  A1  ±1  for  all  objects 
in  BC  [14,  Lemma 4.3].  In  [14,  Lemma  4.3],  we  also  find: 

Remark  1  For  every  object  A  in  SUP.  we  have  .41  =  (.4)°’’ .  For  a  domain  B 
in  BC,  we  have  Bxx  SB  iff  B  is  an  object  in  SUP.  O 

We  let  A  +  B  denote  the  coalesced  sum  [12,  20]  of  A  and  B  which  is  a  catego¬ 
rical  coproduct  in  BC  [14,  Lemma  4.5].  Since  SUP  is  a  full  reflective  subcategory 
of  BC,  the  operation  .A0  B  :=  (.4  +  B)1 1  is  a  categorical  coproduct  in  SUP. 

The  category  BC  is  seen  to  be  symmetric  monoidal  closed  and  SUP  is  a 
model  of  linear  logic  [14].  Of  course,  our  enterprise  would  be  trivial  if  SCOTT 
were  indeed  closed  under  the  type  constructors  of  linear  logic  in  BC. 

Proposition  1  SCOTT  is  not  closed  under  the  negation  ()x  in  BC'.  □ 

Since  SCOTT  cannot  be  a  category  we  are  looking  for,  we  should  formalize 
what  our  desired  category  should  satisfy. 

Definition  3  A  full  subcategory  C  of  SCOTT  has  linear  types  iff 

-  C  is  closed  under  ()x,®, !()  and  0  and 

-  C  is  closed  under  inverse  limils  of  projection-embedding  in  BC.  □ 

We  can  focus  on  just  the  operations  ()x,©. !()  and  0,  for  we  can  define  the 
remaining  linear  types  in  terms  of  these — at  least  for  those  objects  satisfying 
A  2S  ALX,  i.e.  complete  lattices. 

The  last  condition  imposed  on  a  category  of  Scott-domains  with  linear  types 
ensures  that  we  can  build  sufficiently  many  objects.  Intuitively,  such  a  category 
should  be  ‘determined’  by  all  its  objects  of  finite  size. 
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Fig- 1.  A  Scott-domain  Aj  such  that  -4|  x  =  (-4])°’’  is  not  a  Scott-domain 

2  Linear  Domains 

Recall  that,  a  bounded  complete  domain  A  is  algebraic  iff  it  can  be  written 
as  the  inverse  limit  of  finite,  bounded  complete  posets  under  Scott-continuous 
projection-embedding  pairs  [15,  19].  This  has  also  a  well-known  internal  descrip¬ 
tion  [10,  15,  19]  in  terms  of  Scott-continuous  idempotent  deflations  on  A. 

Proposition  2  For  a  bounded  complete  domain  A,  the  following  are  equivalent: 

1.  A  is  algebraic. 

2.  There  exists  a  directed  set  V  in  [.4  —  .4]  such  that  for  all  d  6  V,  we  have 
dd  =  d,  im(d)  is  finite  and  UV  =  idA. 

□ 

If  we  now  view  the  equivalence  in  Proposition  2  as  a  definition  of  algebraicity 
in  the  category  BC,  we  have  seen  in  Figure  1  that  this  definition  does  not  respect 
the  operation  ()x  on  BC.  A  cheap  escape  route  might  be  to  consider  bialgebraic 
lattices  [7],  i.e.  lattices  A  such  that  A  and  (-4)  are  algebraic.  The  class  of 
bialgebraic  lattices  is  by  definition  closed  under  ()x  as  then  A1  —  (A)°P;  but  one 
can  raise  a  fatal  objection  against  such  an  approach.  If  A  and  B  are  bialgebraic 
lattices,  then  A®B  is  not  bialgebraic  in  general.  To  see  why  that,  is  true,  let  At  be 
the  domain  shown  in  Figure  2.  This  is  a  bialgebraic  lattice  with  -42X  —  (A2)  — 

Ai.  If  A?®  A2  were  bialgebraic,  then  (-4o  ®  J0”  —  (-4o  Q  A2)1  —  ( AnL  ®  -4.2 ) x 

would  have  to  be  algebraic  as  well.  The  isomorphism  [8,  14] 

(A2X  ®  Ao)-1-  =  .42-0-42  (11) 


would  then  ensure  that  the  function  space  To— °-42  is  algebraic. 


Fig.  2.  A  Scott-domain  A 2  such  that  A?~ oA?  is  not  a  Scott-domain 


Proposition  3  The  function  space  A*-* “.4o  is  not  algebraic.  □ 

In  particular,  the  full  subcategory  of  bialgebraic  lattices  in  BC  is  not  a  cat¬ 
egory  of  Scott-domains  with  linear  types.  Looking  again  at  the  criterion  of  al- 
gebraicity  in  Proposition  2,  we  could  ask  what  changes  if  w*  assume  all  maps 
d  £  V  to  preserve  all  suprema  not  just  directed  ones? 

Definition  4  For  an  object  .4  in  BC  set 

C{A)  :=  {d  £  A— oA  |  dd  =  d  C  idA .  im(d)  finite).  ( 12) 

We  call  A  linear  iff  there  exists  a  directed  set  V  in  C(A)  such  that  UP  =  idA 
holds  in  A—oA.  Let  LIN  denote  the  full  subcategory  of  BC  which  has  all  linear 
domains  as  objects.  Let  LL  be  the  full  subcategory  of  BC  which  has  all  linear 
lattices  as  objects.  □ 


We  want  to  show  that  LIN  and  LL  are  categories  of  Scott-domains  with  linear 
types. 

Theorem  1  1.  LIN  contains  all  finite  objects  in  BC  and  LL  contains  all  finite 

objects  in  SUP, 

2.  every  object  in  LIN  is  algebraic, 

3.  not  every  object  in  LIN,  respectively  LL.  is  distributive. 

4 ■  LIN,  respectively  LL,  is  closed  under  inverse  limits  of  projection-embedding 
pairs  in  BC,  respectively  SUP. 

5.  LIN,  respectively  LL,  is  closed  under  —0, 

6.  LIN,  respectively  LL,  is  closed  under  [  —  ]. 

7.  LIN,  respectively  LL,  is  closed  under  _  . 

□ 
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It  can  be  shown  that.  PRIME  is  a  proper  subcategory  of  LIN;  because  of 
Theorem  1.3,  we  only  need  to  show  that  every  prime-algebraic  domain  is  linear 
The  intuition  behind  a  prime-algebraic  domain  A  is  that  every  element  a  £  A  is 
the  supremum  of  complete  primes  below  it. 

Definition  5  Let  A  be  a  bounded  complete  domain.  An  element  p  £  A  is  called  a 
complete  prime  of  A  iff  for  all  bounded  sets  X  C  A  the  relation  p  C  Ll^A  implies 
pCi  for  some  x  €  X .  Let  Pi\A)  denote  the  poset  of  all  complete  primes  of  a 
bounded  complete  domain  A.  The  domain  A  is  prime-algebraic  iff  the  supremum 
of  |(a)  fl  Pr(A)  equals  a  for  all  a  e  A.  Let  PRIME  be  the  full  subcategory  of  BC 
with  all  prime-algebraic  domains  as  objects.  Let  PAL  be  the  full  subcategory  of 
BC  with  all  prime-algebraic  lattices  as  objects.  □ 

The  condition  for  p  €  Pr(,4)  reads  like  the  criterion  for  being  a  finite  element, 
p  €  K(A),  except  that  we  now  quantify  over  all  bounded  sets  A',  not  only  directed 
ones. 

Proposition  4  Every  prime-algebraic  domain  is  lunar:  in  particular,  PRIME 
is  a  full  subcategory  of  LIN  and  PAL  is  a  full  subcategory  of  LL.  □ 

Theorem  1  has  a  corresponding  version  for  the  categories  PRIME  and  PAL. 

Theorem  2  1.  PRIME  contains  all  finite,  distributive  objects  <n  BC  and  PAL 

contains  all  finite,  distributive  objects  in  SUP. 

2.  every  object  in  PRIME  is  algebraic. 

3.  every  object  in  PRIME  is  distributive. 

4 -  PRIME,  respectively  PAL.  is  closed  under  inverse  limils  of  projection-em¬ 
bedding  pairs  in  BC,  respectively  SUP. 

5.  PRIME,  respectively  PAL.  is  closed  under  -o. 

6.  PRIME,  respectively  PAL,  is  closed  under  [  — >  ]. 

7.  PRIME,  respectively  PAL.  is  closed  under  Q. 

□ 

The  category  LL  is  also  closed  under  the  additive  type  constructors  of  SUP, 
introduced  in  [14]. 

Definition  6  Let  A  and  B  be  objects  m  BC.  Then  define 

-  A  +  B  to  be  the  coalesced  sum  [13.  18.  20]  of  A  and  B. 

-  A®  B  to  be  (A  +  B)1-1 . 

-  A&.B  to  be  the  order-1 heorehc  product  of  A  and  B  and 

-  p  to  be  the  De  Morgan  Dual  of  O  ' 

A^B  :=  (A1  ;  BL  )x .  (13) 

□ 
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Proposition  5  1.  If  A  and  B  are  linear  domains,  Ihen  so  are  A  +  B,  A®  B, 
AkB  and  ApB. 

2.  If  A  and  B  are  linear  lattices,  then  so  are  A  ©  B,AkB  and  ApB. 

□ 

Note  that  +  is  the  categorical  product  in  BC  and  LIN,  whereas  ©  is  the 
categorical  biproduct  in  SUP  and  LL  [14,  Lemma 4.5  k  4.10];  also,  A  +  B  is  a 
lattice  iff  A  or  B  is  a  singleton  domain.  Since  LIN  and  LL  are  closed  under  k 
and  [  — ►  ],  we  obtain: 

Corollary  1  The  category  LIN,C,  respectively  LL’C,  of  linear  domains,  respec¬ 
tively  linear  lattices,  and  Scott-continuous  maps  as  morpkisms  is  cartesian  closed. 

□ 


3  Linear  Lattices  modeling  Linear  Logic 

We  have  shown  that  LL  is  closed  under  ()■*-,  0,  p,  — o,  ©  and  k.  We  define  the 
four  domains  modeling  the  constants  of  classical  linear  logic  to  be 

X  :=  {0  <  1}  (14) 

1  :=  J Lx  2  _L 

T  ;=  {*} 

0  :=  Tx  =  T. 

Since  SUP  and  BC  are  symmetric  monoidal  closed  categories  [14]  and  LL 
and  LIN  are  closed  under  all  the  constructions  discussed  so  far  in  SUP  and  BC, 
we  conclude  that  LL  and  LIN  are  symmetric  monoidal  closed  categories  as  well. 

Theorem  3  LIN  and  LL  are  symmetric  monoidal  closed  categories.  □ 

The  category  LL  gives  us  a  model  of  linear  logic  in  the  standard  fashion  of 
[23].  Moreover,  we  have  a  natural  isomorphism  .4  ©  B  =  AkB  in  SUP  and  LL 
[14,  Lemma  4.10].  Therefore,  the  category  LL  can  give  us  only  an  incomplete 
semantics  of  classical  linear  logic:  we  have  morphisms  /  £  (  A  ©  B)—°(AkB)  but 
(v4©  B)-o(AkB)  is  not  a  theorem  of  classical  linear  logic  [25]. 

In  the  introduction,  we  already  gave  good  categorical  reason  for  the  choice 
of  !(.4)  as  the  lattice  of  all  Scott-closed  subsets  of  .4.  ordered  by  inclusion. 

Definition  7  For  an  object  A  in  SCOTT  and  any  poset  P,  define 

-  L(P)  to  be  the  poset  of  lower  sets  of  P  ordered  by  inclusion, 

-  p,(A)  tobeL(K(A)\{0A}), 

-  eA:A->  pi{A)  by  eA  :=  Xa.l(a)  n(I\(A)  \  {04}), 

-  !(v4)  as  the  lattice  of  all  Scott-closed  subsets  of  A.  ordered  by  inclusion  and 

-  ?(/!)  as  (!(>lx))i .  □ 


447 


We  realize  1(A)  as  the  Scott-topology  on  A1 . 

Proposition  6  Let  A  be  an  object  in  SCOTT.  Then  we  have  Ihe  following: 

1.  (pi(A),tA)  is  a  lower  power  domain  for  A, 

8.  p,(A)x  S  L(K(A))  a  !(A), 

3.  L(K(A))  is  an  object  in  PAL  with  Pr(L(K(A)))  S  I\(A), 
f.  1(A)  a  <t(A)l  and 
5.  1(A)^er(Ai-). 

□ 

The  isomorphism  L(K(A))  =  !(A)  had  been  stated  in  the  non-lifted  version 
in  [26].  We  still  have  to  ensure  that  !(A)  and  1(A)  are  linear  for  a  linear  domain 
A. 

Proposition  7  The  categories  PRIME.  PAL.  LIN  and  LL  are  closed  under  !() 
and  ?().  □ 

The  functor  !()  transforms  products  into  tensor  products. 

Theorem  4  1.  For  objects  A  and  B  in  a  category  C  of  Scott-domains  with 

linear  types,  we  have 

!(AScB)  2?  !(A)3!(B)  (15) 

2.  and  for  lattices  A  and  B  in  C.  we  have 

[-4  —  B]  -  !(.4)~oj9.  (16) 

□ 


Let  us  summarize  what  we  have  demonstrated  so  far. 

Theorem  5  The  categories  of  Scott-domains  PRIME.  LIN.  PAL  and  LL  have 
linear  types  and  PRIME  C  L IN.  □ 

Since  all  objects  in  PRIME,  respectively  LIN.  are  isomorphic  to  inverse  limits 
of  finite  objects  in  PRIME,  respectively  LIN,  the  category  PRIME,  respectively 
LIN,  is  ‘determined’  by  its  class  of  objects  of  finite  size.  For  PRIME,  the  con¬ 
straint  on  a  finite  domain  is  the  distri butivity  axiom,  for  LIN,  we  allow  all  finite 
domains  in  BC.  The  situation  is  similar  for  PAL  and  LL.  One  might  ask  whether 
this  is  typical  for  categories  of  Scott-domains  with  linear  types. 

In  [14,  Proposition  5.9],  we  showed  the  natural  isomorphism 

.4  G  B  S  AyB  (17) 

for  objects  A  and  B  in  PAL.  Therefore,  PAL  is  a  compact  closed  category.  The 
situation  changes  if  we  consider  the  larger  category  LL.  The  example  of  two 
finite  lattices  where  p  differs  from  0  is  due  to  Michael  Barr  [4,  page  100]. 
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Theorem  6  1.  For  all  categories  C  of  Scott- domains  with  top  with  linear  types 

such  that  every  object  in  C  is  distributive,  we  have  a  natural  isomorphism 
A®  B  —  ApB. 

S.  There  exist  linear  lattices  C  and  D  such  that  C  ©  D  ?  CpD. 

□ 

Theorem  6  states  that  the  distributivity  in  a  category  C  of  Scott-domains 
with  top  with  linear  types  implies  that  p  equals  0.  One  might  wonder  how  strong 
the  link  between  distributivity  of  all  objects  in  C  and  the  compact  closedness  of 
such  a  category  is;  and  what  about  the  existence  of  categories  of  Scott-domains 
with  linear  types  other  than  PRIME,  PAL,  LIN  and  LL? 

Question  1  Given  a  compact  closed  category  C  of  Scott-domains  with  top  with 
linear  types,  is  every  object  in  C  distributive?  □ 

Question  2  Are  there  categories  C  of  Scott-domains  with  linear  types  other  than 
PRIME,  PAL,  LIN  and  LL;  if  so.  is  every  such  category  C  in  BC  contained  in 
LIN?  □ 

4  Quasi-prime  Algebraic  Domains 

In  this  section,  we  want  to  show  that  a  linear  domain  is  distributive  iff  it  is  prime- 
algebraic.  In  this  sense,  linear  domains  constitute  a  generalization  of  prime- 
algebraic  domains  by  abandoning  the  distributivity  axiom  but  at  the  same  time 
preserving  the  richness  of  the  available  type  structure.  The  proof  of  that  requires 
the  notion  of  a  completely  sup-irreducible  element  [7]  and  of  quasi-prime  algebraic 
domains  introduced  by  Guo-Qiang  Zhang  in  [30]. 

In  [30],  it  was  noted  that  each  p  G  Pr(/1)  has  a  unique  element  p ’  <  p  in  A 
such  that  a  C  p*  for  all  a  <  p  in  A.  Guo-Qiang  Zhang  calls  elements  p  which 
have  such  a  p*  quasi-primes  and  defines  a  quasi-prime  algebraic  domain  A  to  be 
a  Scott-domain,  in  which  each  element  is  the  supremum  of  quasi-primes  below 
it.  Clearly,  p  G  ,4  is  quasi-prime  iff  for  all  A'  C  |  (p)  the  relation  p  C  U AX  implies 
p  C  x  for  some  x  £  X. 

Comparing  this  to  the  definition  of  a  complete  prime,  has  lead  Guo-Qiang 
Zhang  to  the  name  quasi-prime ,  for  one  quantifies  only  over  all  bounded  sets  A' 
in  l(p)>  not  in  all  of  .4.  Such  elements  have  also  been  studied  in  lattice  theorv 
[5,  7], 

Definition  8  Let  A  be  a  bounded  complete  domain.  An  element  q  E  -4  is  called 
a  completely  sup-irreducible  element,  of  A  iff  for  all  bounded  X  C  .4  the  equation 
q  =  UAX  implies  q  €  X.  Let  Si(A)  denote  the  poset  of  completely  sup-irreducible 
elements  of  A.  Let  SI  be  the  full  subcategory  of  BC  with  objects  all  .4  such  that 
the  supremum  of  |(a)  D  Si(A)  equals  a  for  all  a  E  A.  D 

The  next  lemma  compares  the  not  ions  of  quasi-primes,  complete  primes  and 
completely  sup-irreducible  elements.  It  had  been  shown  in  [30]  for  Scott-domains. 


Lemma  2  Let  A  be  an  object  in  BC  and  p  £  A.  Then,  the  following  are  equiv¬ 
alent: 

1.  p  is  a  completely  sup-irreducible  element  in  .4, 

2.  p  is  a  quasi-prime  in  A  and 

3.  p  is  a  complete  prime  in  |(p). 

□ 

Sine**  Pr(A)  C  K(A)  holds  for  all  objects  A  in  BC,  and  since  finite  suprema 
of  finite  elements  are  finite  [7],  we  know  that  every  prime-algebraic  domain  A  is 
also  a  Scott-domain.  Moreover,  k  £  A  is  then  finite  in  A  iff  k  is  the  supremum 
of  a  finite  set  F  C  Pr(A)  in  A.  This  does  not  hold  if  we  replace  Pr(,4)  by  Si(yl). 
In  Figure  1,  the  lattice  Xi1  is  readily  seen  to  be  an  object  in  SI  with 

Si( -4 1 x )  =  {o„  |  v  >  1}  U  {b}.  (18) 

but  A\ 1  is  not  algebraic.  In  particular,  b  is  an  element  of  Si(.4] x ) \  K(.4ix).  For 
objects  in  SI,  the  absence  of  such  elements  is  equivalent  to  the  algebraicity  of 
the  domain. 

Proposition  8  Let  A  be  an  object  in  SI.  Then 

1.  A  is  algebraic  iff  5i(A)  C  A'(  .4 )  and 

2.  if  A  is  algebraic ,  then  k  £  A  is  finite  in  A  iff  k  is  the  supremum  of  a  finite 
set  F  C  Si(.4)  in  A. 

□ 

It  is  time  to  define  quasi-prime  algebraic  domains  as  a  category.  Also,  we 
need  a  name  for  the  category  of  all  distributive  domains  in  BC. 

Definition  9  Let  QP  be  the  full  subcategory  of  SI  which  has  all  Scolt-domains 
in  SI  as  objects.  Let  dBC  be  the  full  subcategory  of  BC  which  lias  all  distributive 
domains  in  BC  as  objects.  □ 

Note  that  the  objects  in  QP  are  exactly  Guo-Qiang  Zhang’s  quasi-prime 
algebraic  domains  [30].  By  definition,  QP  is  contained  in  SI,  yet,  ,4ix  is  an 
object  in  SI  but.  not  in  QP,  for  it  is  not  an  algebraic  domain.  Since 

SiMi)  =  {an  |n  >0}<J{ft},  (IS) 

we  see  that  Ai  is  an  object  in  QP. 

Remark  2  The  category  QP  is  not  closed  under  O'1  in  BC:  QP  is  not  a  category 
of  Scott- domains  with  linear  types.  □ 

In  [30],  one  obtains  a  symmetric  monoidal  dosed  category  with  finite  products 
such  that  its  class  of  objects  equals  the  class  of  objects  in  QP  (=all  quasi-prime 
algebraic  domains).  The  approacli  differs  from  the  one  taken  in  this  paper,  for 
Guo-Qiang  Zhang  considers  quasi-linear  maps,  a  special  class  of  Scott-continuous 
functions,  as  elements  of  the  internal  horn  [30]. 


This  is  interesting  as  most  models  of  intuitionistic  logic  rest  on  the  notion 
of  a  function  preserving  all  suprema.  The  technical  price  being  paid,  however,  is 
the  absence  of  a  dualizing  object  [30].  But  another  point  in  favor  of  working  with 
non-linear  functions  is  the  possibility  of  representing  all  objects  as  information 
systems  [30]. 

For  linear  domains,  this  seems  only  possible  after  one  has  established  an 
order-theoretic  axiomatization  of  the  posets  K(.4)  for  linear  domains  >1;  such  an 
axiomatization  has  been  given  for  SFP-objects  [19]  and  bifinite  domains  [10,  15]. 
We  have  been  unable  to  suggest  such  an  axiomatization  in  the  linear  setting.  If 
such  a  logical  description  of  linear  domains  can  be  found,  it  is  likely  not  to 
be  a  first-order  theory  on  posets  K(A).  It  would  be  of  interest  to  investigate, 
whether  there  is  a  greatest  category  of  Scott-domains  with  linear  types  which 
has  a  first-order  axiomatization — see  [11]  for  the  situation  of  Scott-continuous 
maps. 

We  pointed  out  that  QP  does  not  support  the  linear  types  in  BC;  but  every 
category  of  Scott-domains  with  linear  types  is  contained  in  QP. 

Theorem  7  Let  C  be  a  category  of  Scotl-domams  with  linear  types.  Then  C  is 
a  full  subcategory  of  QP.  □ 

This  theorem  uses  only  the  fact  that  all  objects  in  C  are  algebraic  and  that  C 
is  closed  under  Q1  in  BC.  Theorem  7  is  not  a  vacuous  statement,  for  there  exist 
Scott-domains  which  are  not  quasi-prime  algebraic.  Before  we  give  an  example, 
let  us  draw  a  conclusion  for  linear  domains. 

Corollary  2  The  category  LIN  is  a  full  subcaiegory  of  QP.  0 

Note  that  our  example  of  a  Scott.-domain  ,43,  which  is  not  quasi-prime  alge¬ 
braic,  must  be  infinite;  otherwise,  j43  would  be  linear  and  therefore  an  object  in 
QP.  Consider  the  lifted,  full  binary  tree  with  its  root  as  top  element  as  depicted 
in  Figure  3.  This  describes  a  Scott-domain  .4 3  with 

Si(-43)  =  0,  (20) 

so  A3  is  not  quasi-prime  algebraic — this  example  is  due  to  Guo-Qiang  Zhang  [30]. 
Since  v43x  2  (j43)°r  is  not  algebraic,  we  conclude  that  A3—0A3  is  not  algebraic, 
for  there  exists  a  canonical  closure-embedding  pair  (c.e):  A3-0A3  — -  (J43)°’’  in 
BC  and  the  image  of  a  Scott-continuous  closure  operator  of  an  algebraic  domain 
is  algebraic  [7].  The  same  reasoning  applies  to  the  Scott-domain  Ay. 

Now,  we  are  in  a  position  to  prove  that  distributivity  and  prime-algebraicity 
are  the  same  concept  in  LIN  and  in  QP. 

Lemma  3  For  A  in  BC,  we  have 

1.  Pr(A)  C  Si(A)  and 

S.  if  A  is  distributive  and  algebraic,  then  Si(  A )  C  Pr{A). 

□ 


Theorem  8  The  categories  PRIME,  d BCD  LIN  and  dBC  0  QP  are  equal.  □ 


V 


Fig.  3.  A  Scott-domain  A3  which  is  not  quasi-prime  algebraic 


5  Conclusion 

We  have  developed  the  concept  of  a  category  of  Scott-domains  with  linear 
types  as  a  subcategory  of  Scott-domains  of  BC  which  supports  the  type  op¬ 
erations  of  linear  logic  in  BC  such  that  it  is  closed  under  inverse  limits  of 
projection-embedding  pairs  in  BC.  We  gave  four  examples  of  such  categories: 
prime-algebraic  I  ains,  prime-algebraic  latt  ices,  linear  domains  and  linear  lat¬ 
tices. 

We  showed  very  prime-algebraic  domain  is  linear  (and  distributive) 

and  that  every  distributive  linear  domain  is  prime-algebraic.  In  this  sense,  linear 
domains  can  be  viewed  as  a  generalization  of  prime-algebraic  domains. 

Every  linear  lattice  is  bialgebraic  and  bialgebraic  lattices  are  ill-behaved  un¬ 
der  the  linear  type  constructors  if  they  are  not.  linear  [Proposition  3].  Hence,  we 
can  construe  linear  lattices  as  a  benign  subcategory  of  the  full  subcategory  of 
bialgebraic  lattices  in  SUP. 

6  Future  Work 

The  questions  stated  in  this  article  form  the  ground  on  which  future  work  should 
take  off.  We  did  not  discuss  linear  domains  A  with  a  countable  basis  K(A).  It 
can  be  shown  that  all  the  type  constructors  presented  in  this  paper  preserve 
countability  of  the  basis  K(A). 


We  also  did  not  include  an  analysis  of  the  fine  structure  of  linear  domains. 
This  will  be  done  in  a  subsequent  piece  of  work.  Further,  it  would  be  interesting 
to  investigate  linear,  stable  domains  A  which  are  obtained  by  assuming  that  ail 
maps  in  Definition  4  are  stable  as  well  and  that  the  directed  sets  are  directed 
with  respect  to  the  stable  order  in  [9], 
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Summary.  This  paper  demonstrates  the  existence  of  a 
saturated  quasi-prime  algebraic  domain.  It  also  presents 
a  cpo  of  quasi-prime  generated  information  systems  for 
solving  domain  equations. 
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1  Introduction 

Quasi-prime  algebraic  domains  are  a  class  of  epos  within  the  Scott 
domains.  They  are  introduced  by  the  author  in  [11]  as  a  new  domain- 
theoretic  model  for  linear  logic.  Quasi-prime  algebraic  domains  with 
quasi-linear  functions  form  a  monoidal  closed  category.  The  unique 
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characteristic  of  the  category  is  that  the  morphisms  are  not  ‘linear’, 
as  the  term  ‘quasi-linear’  suggests.  This  is  a  bit  surprising,  since  all 
other  known  domain  theoretic  linear  categories  all  use  linear  func¬ 
tions  as  morphisms  [11]. 

However,  how  robust  and  useful  the  concept  of  quasi-prime  al¬ 
gebraic  domains  is  depends  on  whether  or  not  they  have  other  nice 
domain  theoretic  properties.  One  of  the  desirable  properties  is  the 
existence  of  a  universal  (or  even  saturated)  domain  [4]  in  a  certain 
category.  The  other  related  property  to  have  is  a  framework  for 
solving  domain  equations  by  fixed  point  construction,  as  in  [5,  8]. 
It  is  the  purpose  of  the  paper  to  establish  these  results  for  quasi¬ 
prime  generated  information  systems  which  represent  quasi-prime 
algebraic  domains. 

One  of  the  most  useful  results  on  universal  domains  is  given  in  the 
work  of  Droste  and  Gobel  [1],  who  introduced  the  Fraisse-Jonsson 
theorem  in  model  theory  into  the  area  of  domain  theory.  This  makes 
it  much  easier  to  show  the  existence  of  certain  universal  domains  be¬ 
cause  it  reduces  the  existence  of  a  saturated  structure  to  the  amal¬ 
gamation  property  of  the  finite  objects  of  a  certain  category. 

We  apply  the  result  of  Droste  and  Gobel  for  showing  the  exis¬ 
tence  of  a  saturated  (universal,  homogeneous)  quasi-prime  algebraic 
domain.  Our  main  definition  here  is  the  notion  of  q-embeddings 
for  quasi-prime  algebraic  domains.  The  appropriate  notion  of  em¬ 
beddings  for  Scott  domains  (call  them  s-embeddings)  [5,  2]  and  for 
di-domains  (call  them  r-embeddings  -  V  for  rigid)  [8]  are  well-known 
.  However,  none  of  the  these  embeddings  works  for  quasi-prime  al¬ 
gebraic  domains,  for  the  following  reasons: 

•  The  s-embeddings  are  too  general:  under  this  embedding  the 
colimit  of  an  w-chain  of  finite  Scott  domains  (which  are  quasi¬ 
prime  algebraic)  need  not  be  quasi-prime  algebraic,  because 
any  Scott  domain  can  be  seen  as  a  colimit  of  this  kind. 
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•  The  r-embeddings  are  too  specific:  there  are  certain  quasi¬ 
prime  algebraic  domains  which  cannot  be  represented  as  a 
colimit  of  any  chain  of  finite  Scott  domains,  although  the  r- 
embeddings  are  suitable  for  the  I-domains  (di-domains  without 
axiom  d). 

With  q-embeddings  we  get  the  desired  algebroidal  category  of 
quasi-prime  generated  information  systems.  The  finite  objects  of 
the  category  are  shown  to  have  the  amalgamation  property.  This 
implies  the  existence  of  a  saturated  quasi-prime  algebraic  domain. 

Based  on  the  notion  of  q-embeddings,  we  will  also  introduce  a 
cpo  of  quasi-prime  generated  information  systems  on  which  various 
constructions  are  shown  to  induce  continuous  functions.  This  implies 
the  existence  of  recursively  defined  quasi-prime  generated  informa¬ 
tion  systems. 

Here  is  the  outline  of  the  structure  of  the  paper.  In  Section  2 
we  introduce  the  notions  of  quasi-primes  and  quasi-prime  algebraic 
domains.  In  Section  3  we  represent  quasi-prime  algebraic  domains 
as  information  systems.  This  will  bring  technical  convenience  to  the 
rest  of  the  paper.  Section  4  recalls  the  result  of  Droste  and  Gobel 
on  the  existence  of  universal  domains.  Section  5  presents  a  category 
of  quasi-prime  algebraic  information  system  with  q-embeddings  as 
the  morphisms.  Section  6  verifies  the  amalgamation  property  of  the 
finite  objects  of  the  category  introduced  in  Section  5.  In  the  final 
section,  we  introduce  a  cpo  of  quasi-prime  generated  information 
systems  and  the  continuity  of  various  constructions  on  this  cpo. 


2  Quasi-Prime  Algebraic  Domains 

In  a  Scott  domain  D,  an  element  p  is  called  a  complete  prime  if 
p  C  [_|  X  =*>  3x  €  X.  p  C  x. 
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On  the  other  hand,  an  element  q  is  called  a  quasi-prime  if 
q  =  |_j  X  =£•  6  X.  p  =  x. 

A  Scott  domain  is  prime  algebraic  if  every  element  is  the  least  upper 
bound  of  complete  primes  below  (less  than  or  equal  to)  it.  Simi¬ 
larly,  a  Scott  domain  is  quasi-prime  algebraic  if  every  element  is  the 
least  upper  bound  of  quasi-primes  below  it.  As  far  as  functions  are 
concerned,  for  prime  algebraic  domains,  a  function  /  is  linear  if  and 
only  if 

P  E  /(s)  =>  3r  C  x.  p  C  /(r),  where  p,  r  are  complete  primes. 

For  quasi-prime  algebraic  domains,  a  function  /  is  quasi-linear  if  and 
only  if 

q  E  f{%)  =>•  3s  O  x.  q  C  /(. s),  where  q,  s  are  quasi-primes. 

The  following  table  summarizes  the  relationships  between  com¬ 
plete  primes  and  quasi-primes,  linear  functions  and  quasi-linear  func¬ 
tions.  For  comparison,  we  also  include  isolated  elements  and  contin¬ 
uous  functions. 


Definition 


Isolated  Elements 


d  □  U  A  =£-3  x  G  X.  d  C  j 
(A  directed) 


p  C  [J  X  =>  3x  €  X.  p  E  % 
(X  bounded) 


=  |_l  A  =>  3 x  £  X.  p  Q  x 


/(UX)  =  LK/W  I  *  e -Y} 

(X  directed) 


/(UY)  =  y{/W|xeX) 
( X  bounded) 


Quasi-Linear  Functions  q  C  f(x)  =>-3 s  Q  x.  q  Q  f(s) 

( q ,  s  quasi-primes) 


Complete  Primes 


Quasi-Primes 


Continuous  Functions 


Linear  Functions 
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It  is  helpful  to  note  that  all  finite  Scott  domains  are  quasi-prime 
algebraic  (we  need  the  next  theorem  for  this).  Of  course  not  all  finite 
Scott  domains  are  prime  algebraic.  Moreover,  not  all  Scott  domains 
are  quasi-prime  algebraic.  The  following  theorem  can  help  us  find 
such  an  example.  This  theorem  is  extremely  helpful  in  identifying 
quasi-primes.  This,  I  believe,  is  also  the  key  advantage  of  working 
with  quasi-prime  algebraic  domains. 

Theorem  2.1  Let  D  be  a  Scott  domain.  An  element  q  6  D  is  a 
quasi-prime  iff  there  is  a  unique  element  q<  immediately  below  q: 

It  is  worth  pointing  out  that,  as  a  consequence  of  the  theorem,  if 
x  has  a  unique  element  immediately  below  it,  then  x  is  an  isolated 
element.  Bottoms  are  never  quasi-primes. 

It  is  now  easy  to  see  that,  if  one  turns  the  complete  binary  tree  up¬ 
side  down  and  adjoining  a  bottom  element,  one  gets  a  Scott  domain 
which  is  not  quasi-prime  algebraic,  since  there  is  no  quasi-primes 
in  this  domain.  Also  note  that  it  is  easy  to  show,  by  mathematical 
induction  on  the  number  of  elements  below  an  isolated  element,  that 
finite  Scott  domains  are  quasi-prime  algebraic. 

We  end  this  section  by  remarking  that  a  dual  concept  of  quasi¬ 
primes  was  mentioned  in  [3]  (pages  92-93),  called  the  completely 
irreducible  elements.  Quasi-primes  were  introduced  in  [11]  as  a  by¬ 
product  of  studying  quasi-prime  algebraic  domains.  Therefore,  our 
motivation,  objectives,  and  results  are,  in  any  case,  totally  different 
from  that  of  [3].  More  important,  we  have  gone  far  beyond  a  par¬ 
ticular  class  of  elements.  We  consider  domains  generated  by  these 
elements,  and  we  consider  categories  of  quasi-prime  algebraic  do¬ 
mains.  We  have  introduced  quasi-linear  functions  (detail  presented 
in  a  forthcoming  paper)  which  are  the  corresponding  morphisms  for 
quasi-primes. 
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3  Quasi-Prime  Generated  Information 
Systems 

This  section  introduces  a  representation  of  quasi-prime  algebraic  do¬ 
mains  as  information  systems.  This  will  bring  technical  convenience 
for  the  presentation  of  the  rest  of  the  paper. 

An  information  system  [6]  is  a  structure  A  =  (  A,  Con,  h  )  where 

•  A  is  a  countable  set  of  propositions  (tokens), 

•  Cm  is  a  collection  of  finite  subsets  of  A  (the  consistent  sets), 

•  h  C  Con  —  {0}  x  A,  the  entailment  relation, 

which  satisfy 

•  (AC  Y  kY  e  Con )  *=>  A  €  Con , 

•  a€A=>{a}e  Con, 

•  (Ah  a  k  X  €  Con)  =>  A  U  {  a  }  e  Con , 

•  (a  €  A  &  A  €  Con )  =>  A  b  a, 

•  (A  b  Y  &  Y  h  c)  =*  A  h  c. 

Here  A  H  F  is  the  abbreviation  for  A  h  b  for  every  b  £  Y.  Thus 
A  h  0  is  vacuously  true.  Note  that  the  information  systems  we 
consider  here  are  not  exactly  the  same  as  those  introduced  by  Scott. 
We  do  not  assume  a  distinguished  element  A,  standing  for  true. 
To  compensate  for  this,  we  require  that  A  is  non-empty  when  we 
write  Aha.  This  has  the  effect  that  the  bottom  element  of  the 
corresponding  domain  is  always  the  empty  set. 

The  elements  |  A  |,  of  information  system  A  =  ( A,  Con,  h  ) 
consists  of  subsets  x  of  propositions  which  are 

•  consistent:  A  C*ln  x  =>  A  €  Con,  and 

•  deductively  closed:  A  C  x  &  A  b  a  =$>  a  £  x. 

Let  A  dh  Y  be  the  abbreviation  for  A  h  Y  and  Kb  A.  For 
technical  convenience,  we  only  consider  information  systems  which 
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are  antisymmetric  in  this  paper: 

Va,  b  £  A  [{a}  Hb  {6}  =>■  a  =  6]. 

Definition  3.1  Let  A  =  (A,  Cbn,b)  be  an  information  system.  A 
token  a  €  A  is  a  quasi-prime  token  if 

X  Hb  a  ^  a  £  X. 

We  write  Aq  for  the  set  of  quasi-prime  tokens  of  A.  The  information 
system  is  called,  quasi-prime  generated  iff  for  each  a  £  A,  there  is  a 
finite  set  X  C  Aq  such  that  X  HI-  {a}. 

Let  S  stand  for  the  deductive  closure  of  any  token  set  S,  i.e. 

S  =  {a  |  3X  C}m  S.X  b  a). 

We  first  show  that  for  each  quasi-prime  token  a,  a  is  a  quasi-prime 
element.  For  this  purpose,  let  y  =  a  —  {a1  |  a'  b  a}.  Then  y  is 
again  an  ideal  element.  This  is  because  from  the  assumption  that 
a  is  a  quasi-prime  token  we  know  that  for  any  X  Cf‘n  y  (therefore 
a  b  X),  X  b  a  implies  b  =  a.  Now  let  2  C  a  be  an  ideal  element. 
It  is  clear  that  a  z.  Therefore  z  C  y,  and  y  is  the  unique  element 
immediately  below  a.  By  Theorem  2.1,  a  is  a  quasi-prime. 

Suppose  a:  is  a  quasi-prime  in  the  domain  determined  by  a  quasi¬ 
prime  generated  information  system.  That  means  there  is  a  unique 
element  y  covered  by  x.  Let  a  £  x  —  y.  Clearly  a  C  x.  If  a  ^  x,  we 
must  have  a  C  y,  since  y  is  the  unique  element  immediately  below 
x,  and  every  element  strictly  below  x  must  therefore  below  y.  This 
would  lead  to  a  £  y,  contradicting  our  assumption  a  £  x  —  y.  The 
only  alternative  is  a  =  x.  Let  X  C  x  be  such  that  X  b  a.  We  can 
also  assume  that  propositions  in  X  does  not  entail  each  other  unless 
they  are  the  same.  If  for  each  b  £  X,  b  C  x,  then  b  C  y  for  each 
b  £  X,  and  (J{6  |  6  £  X}  C  y.  This  is  impossible  because  X  b  a. 


Therefore  b  =  a  for  some  b  €  X,  which  means,  by  antisymmetry, 
b  =  a. 

The  above  two  paragraphs  show  that  an  ideal  element  x  of  an 
information  system  is  a  quasi-prime  if  and  only  if  x  =  a  for  some 
quasi-prime  token  a. 

In  general,  we  have  the  following  theorem,  whose  proof  can  be 
found  in  [11]. 

Theorem  3.1  For  each  quasi-prime  generated  information  system 

A, 

(Ul,c) 

is  a  quasi-prime  algebraic  domain.  On  the  other  hand,  for  any  quasi¬ 
prime  algebraic  domain  D,  there  is  a  quasi-prime  generated  infor¬ 
mation  system  A  such  that  D  =|  A  |  . 

We  remark  that  this  representation  theorem  can  be  put  in  a 
stronger  form:  we  can  require  every  token  of  a  quasi-prime  generated 
information  system  to  be  a  quasi-prime. 

4  Universality  and  Amalgamation 

A  unified  theory  of  universal  objects  can  be  found  in  [3].  The  ba¬ 
sic  theorem  is  that  in  any  algebroidal  category  in  which  all  mor- 
phisms  are  monic,  the  existence  of  a  universal,  homogeneous  object 
is  equivalent  to  the  amalgamation  property  of  the  (finite  objects  of 
the)  category.  For  reference  purposes  we  recall  some  of  the  relevant 
definitions. 

Let  C  be  a  category  where  all  the  morphisms  are  monic  (corre¬ 
sponding  to  the  intuitive  notion  of  one-to-one).  Let  C/  be  the  finite 
objects  of  C.  An  object  U  of  C  is  universal  in  C  (or,  C-universal) 
if  for  any  object  A  in  C,  there  is  an  arrow  /  :  A  — ►  U .  U  is  ho¬ 
mogeneous  (or,  C /-homogeneous)  if  for  any  finite  object  A  with  a 


I 
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pair  of  arrows  f,g  :  A  — »  U,  there  is  an  isomorphism  h  :  U  — »  U  j 

such  that  f  =  hog.  U  is  saturated  if  for  any  A,  B  of  C/  and  arrows  5 

f  :  A  —>  U,  g  :  A  —+  B,  there  is  an  h  :  B  —*  U  such  that  h  o  g  =  f .  1 

A  category  C  is  said  to  have  the  amalgamation  property  if  for  j 

any  arrows  fi  :  A  — ►  Bi,  /■*  :  A  — »  B2  in  C,  there  are  arrows  1 

<71  :  B\  — *  B,  g2  :  B2  —■ *  B  in  C  such  that  the  following  diagram 
commute. 


A  fi  B\ 


B2  g2  B 


The  result  of  Droste  and  Gobel  is  based  on  the  notion  of  an 
algebroidal  category. 


Definition  4.1  An  algebroidal  category  is  one  which  has  the  follow¬ 
ing  properties: 

It  has  an  initial  object, 

Every  object  of  the  category  is  a  colimit  of  an  ui-chain  of  finite 
objects, 

Every  to -chain  of  finite  objects  has  a  colim  it  ,  and 

The  number  of  (up  to  isomorphism )  finite  objects  is  countable. 

Theorem  4.1  (Droste  and  Gobel)  Let  C  be  an  algebroidal  category 
with  all  morphisms  monic.  Let  C/  be  the  full  subcategory  of  finite 
objects  of  C.  The  existence  of  aC-universal,  Cf  -homogeneous  object 
is  equivalent  to  the  amalgamation  property  of  Cj,  which  is  in  turn 
equivalent  to  the  existence  of  a  C/  saturated  object. 

Note  that  in  various  categories  of  information  systems,  finite  ob¬ 
jects  are  often  exactly  those  with  a  finite  token  set. 


5  Q-Embeddings 


To  be  able  to  apply  Theorem  4.1,  we  need  to  introduce  an  alge- 
broidal  category  of  quasi-prime  generated  information  systems.  The 
morphisms  for  this  category  are  q-embeddings. 

Definition  5.1  Let  A  =  (A,ConA,\-A),  B  =  (1 3,  Con b,^~b)  be  quasi¬ 
prime  generated  information  systems.  A  function  f  :  A  — ►  B  is  a 
q-embedding  of  A  into  B_  if 

1.  /  is  one-to-one ; 

2.  VX  CAVa£  A 

X  £  Con  a  <=>■  f{X)  £  Cong , 

XV- A  a  <=>  f(X)  Hb  /(«); 

3.  f{Aq)  C  Bq. 

We  remark  that  given  a  q-embedding  from  A  to  5,  if  f(a)  is  a 
quasi-prime  for  some  a  £  A,  then  a  itself  must  be  a  quasi-prime. 
Indeed,  suppose  X  a.  Then  f(X)  HI"b  /(«)•  But  f(a)  is  a 
quasi-prime;  so  f(a)  £  f(X),  which  means  a  £  X  for  /  is  one-one. 

It  is  informative  to  show  an  example  which  is  a  usual  embedding 
on  information  systems  (i.e.,  that  satisfies  conditions  1,  2  above) 
[5,  2]  but  not  a  q-embedding. 

Example.  Let 


A  =  ({h3},ConA,y-A) 

where  Coua  includes  {1,3},  and  3  1,  and  let 

B  =  ({1,2, 3},  Cong^g) 

where  Cong  includes  {1,2,3},  and  3  (-B  1,  3  \~g  2,  and  {1,2}  \~B  3. 
It  is  clear  that  A  embeds  (by  identity)  into  19  in  the  usual  sense, 
but  not  in  the  sense  of  a  q-embedding.  This  is  because  3  £  Aq,  but 
3  <£Bq. 
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Proposition  5.1  Quasi-prime  generated  information  systems  with 
q-embeddings  form  a  category,  written  as  Q. 

We  now  present  several  propositions  leading  to  the  main  conclu¬ 
sion  that  Q  is  algebroidal. 

Proposition  5.2  Colimits  exist  in  Q  for  uj-chains  of  finite  infor¬ 
mation  systems. 

Proposition  5.3  Every  quasi-prime  generated  information  system 
is  the  colimit  of  an  uj-chain  of  finite  information  systems  in  Q. 

The  above  propositions,  together  with  the  observation  that  the 
empty  information  system  is  initial,  implies  the  following. 

Theorem  5.1  Quasi-prime  generated  information  systems  with 
q-embeddings  form  an  algebroidal  category. 

It  is  easy  to  see  that,  corresponding  to  q-embeddings,  there  is 
a  notion  of  embedding-projection  pairs  on  quasi-prime  algebraic  do¬ 
mains.  These  are  just  the  usual  embedding-projection  pairs  with  the 
additional  requirement  that  they  preserve  quasi-primes. 


6  Existence  of  a  Saturated 

Quasi-Prime  Algebraic  Domain 

The  purpose  of  this  section  is  to  show  that  the  finite  objects  of  the 
category  Q  have  the  amalgamation  property.  In  light  of  Theorem 
4.1  and  Theorem  5.1,  this  means  there  exists  a  saturated  quasi-prime 
generated  information  system.  Note  that  our  proof  below  follows  the 
style  of  [2]. 

Let 


A  —  (-*4,  Cotia i  I- a ), 


I 
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\ 

k  &\  =  (Bi, Corn, ■ 

and  I 

&2  =  {B2,Con2,\~2)  j 

/  be  finite  quasi-prime  generated  information  systems  such  that  /j  :  j 

A  —*  B.\  and  f2  :  A  — *•  are  q-embeddings.  By  renaming  the 

,  tokens,  it  is  enough  to  consider  the  case  where  /,’ s  are  inclusions 

^  (partial  identities)  and  A  =  Bx  fl  B2. 

? 

Definition  6.1  We  construct  the  information  system 

B  =  (B,Con,  h) 

j 

|  from  Bi  and  B_ 2,  where 

\ 

•  B  —  Bi  U  B2\ 

•  X  €  Cbn  ij  and  only  if 

3Z3Y  D  X  fl  B1.  [Y  hi  Z  b2  X  n  B2\  or 
3Z3Y  DXDB2.  [Y  1-2  Zh  XDBt]; 

•  l~=  Uj>o  where  H  ’s  are  specified  as  follows: 

h°=  {(X,  a)  |  X  €  Con  &  either  B\C\  X  \~x  a 

or  B2  fl  X  (~ 2  o}, 

P+1  =  {(X,  a)  |  3Y.  X  P  Y  h‘  <t}. 

■  Before  getting  into  technical  details,  we  would  like  to  give  the 

reader  an  intuitive  feeling  of  what  is  going  on.  B_\  and  B_2  are  two 
given  structures  sharing  a  common  substructure  A.  The  question  is 
whether  fh  and  JB2  can  both  be  seen  living  in  a  larger  structure. 

]  The  larger  structure  must  respect  the  already-existing  relationships 

between  B_i-,  B_2,  and  A.  In  particular,  A  serves  as  a  ” bridge”  between  I 

j  B_x  and  B_2,  so  some  X  from  B\  may  entail  some  Y  from  A,  which 

! 


Figure  1:  A  acting  as  a  bridge  between  B_i  and  B2 

may  in  turn  entail  some  Z  in  B2.  Entailment  must  be  transitive; 
therefore,  in  the  larger  structure  we  should  have  X  entail  Z  (see 
Figure  1).  That  is  why  our  construction  for  b  is  a  kind  of  transitive 
closure. 

The  consistency  predicate  Cbn,  however,  must  come  before  h 
can  be  defined:  the  h  relation  is  only  defined  on  consistent  sets. 
On  the  surface,  it  may  look  that  there  can  be  several  choices  for 
specifying  Con.  Letting  X  €  Con  if  and  only  if  X  D  B\  (E  Conr  and 
XflF2  €  Cbn2,  for  example,  may  seem  to  be  a  reasonable  choice.  A 
second  thought,  however,  reveals  that  this  is  not  the  case. 

Example.  Let  A  =  {1,2},  with  a  trivial  consistency  predicate 
and  a  trivial  entailment  relation.  Let  B\  =  {o,  1,2},  with  a  hi  1, 
and  let  B<i  =  {1,2,  a,  6}  such  that  {a,  b]  £  Con 2,  and  {1,2}  b2  6, 
a  h2  2.  It  is  easy  to  check  that  we  have  three  quasi-prime  generated 
information  systems  in  this  way,  and  A  q-embeds  into  B\  and  B2-  In 
the  bigger  system  to  be  constructed,  do  we  want  to  have  {a,  a}  6  Con 
because  {a}  €  Cbni  and  {a}  €  Cbn2?  The  answer  is  no:  the  given 
conditions  a  hi  1,  a  h2  2,  and  {1,2}  h2  b  would  imply  {a,  a}  b 
{a,  6},  which  must  be  inconsistent. 


□ 
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Our  original  specification  in  Definition  6.1  seems  to  be  the  only 
right  choice.  We  now  check  that  B_  is  indeed  a  quasi-prime  gener¬ 
ated  information  system  which  makes  the  diagram  required  by  the 
amalgamation  commute.  This  is  achieved  by  a  sequence  of  lemmas. 

Lemma  6.1  The  structure  B_  given  in  Definition  6.1  is  an  informa¬ 
tion  system. 

Our  next  lemma  is  the  key  to  the  proofs  of  various  results  later. 

Lemma  6.2  For  the  information  system  B  given  in  Definition  6.1, 
X  C  Bi  and  X  b  Y  imply 

X  t-j  Y  fl  B\  and 
3ZCA.  Xt-!  Z\-2YOB2. 

There  are  a  couple  of  ways  Lemma  6.2  can  be  interpreted.  It 
says  that  for  X's  from  Bi,  b  is  the  same  as  b1.  This  means  when  X 
is  restricted  to  Bi,  X  b  Y  if  and  only  if  X  b1  Y.  It  also  says  that 

xcBlkx\-Y=>  3x'.  x  b,  x'  b°  y; 

by  taking  X'  to  be  (Y  fl  B\)  U  Z.  These  corollaries  are  sometimes 
more  handy  to  use. 

Lemma  6.3  For  X  C  B2  and  a  €  B\, 

X  €  Coni  <=>■  X  €  Con  and  X  bj  a  4=>  X  b  a. 

We  now  come  to  another  important  lemma  which  deals  with 
quasi-primes.  It  shows  that  quasi-primes  in  B_\  or  B_2  remain  to 
be  quasi-primes  in  B_. 
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Lemma  6.4  Let  B_  be  the  information  system  specified  in  Defini¬ 
tion  6.1.  Then  every  quasi-prime  of  its  component  remains  to  be  a 
quasi-prime,  i.e., 

B\  U  B\  C  Bq. 

Note  that  the  equality  Bq  U  B\  =  Bq  follows  easily  from  this 
lemma. 

As  a  corollary  of  the  previous  lemmas,  we  have 

Theorem  6.1  R  is  a  quasi-prime  generated  information  system. 
Moreover,  both  B_t  and  R2  q-embed  into  B_. 

In  summary,  we  have  proved 

Theorem  6.2  The  finite  objects  of  the  category  Q  has  the  amalga¬ 
mation  property. 

As  a  consequence,  we  have  shown  the  following. 

Theorem  6.3  There  exists  a  saturated  quasi-prime  algebraic  do¬ 
main. 


7  A  CPO  of  Quasi-Prime  Generated 
Information  Systems 

One  of  the  purposes  of  a  universal  domain  is  to  ensure  the  existence 
of  solutions  to  domain  equations  for  denotational  semantics  of  pro¬ 
gramming  languages.  Another  way  to  achieve  the  same  goal  is  to 
introduce  a  cpo  of  quasi-prime  generated  information  systems  using 
a  substructure  relation.  Various  constructions  on  information  sys¬ 
tems  can  be  shown  to  induce  continuous  functions  on  the  cpo.  The 
existence  of  the  least  fixed  point  for  continuous  functions  then  guar¬ 
antees  the  existence  of  solution  to  domain  equations.  The  advantage 


of  this  approach  is  that  the  solution  is  up  to  equality,  rather  than 
up  to  an  isomorphism.  We  describe  this  approach  now,  which  uses 
the  idea  first  introduced  in  [5]. 


Definition  7.1  Let  A  =  ( A,  Con a,  Hyi  )  and  B  =  (  B,  Cong,  bB) 
be  quasi-prime  generated  information  systems.  A<B.if 

1. ACB 

2.  X  G  Con\  X  C.  A  h  X  £  Cons , 

3.  X  a  <=$■  X  U  {a}  C  A  &  X  I“b  a,  and 

4.  Aq  C  Bq. 

When  A  <  JB  we  call  A  a  subsystem  of  B.  Our  definition  of 
subsystem  is  similar  to  that  of  Larsen  and  Winskel  [5],  with  item 
4  the  only  extra  requirement.  Note  that  for  quasi-prime  generated 
information  system  A  and  B,  if  A  =  B  and  A<  B,  then  A  —  B. 

The  relation  <J  is  a  complete  partial  order  on  the  class  of  quasi¬ 
prime  generated  information  systems. 


Theorem  7.1  The  relation  <  is  a  partial  order  with  the  least  ele¬ 
ment 


i  =  (0,  {«},  0). 


IfAg^Ai^-'-^Ai^  --  is  an  increasing  chain  of  stable  information 
systems  where  A±~  ( Ai,  Coni,  b, ),  then  their  least  upper  bound  is 


U4i=  (IK’,  \JCon„  Uh. 

x  \  i  t  t 


Write  CPO  for  the  class  of  quasi-prime  generated  information 
systems  under  <.  CPO  is  not  a  cpo  in  the  usual  sense  simply 
because  they  are  not  a  set  but  a  class.  The  subsystem  relation  < 
can  be  easily  extended  to  n— tuples  in  the  same  way  as  described  in 
[8].  A  useful  observation  is  that  a  unary  operation  F  is  continuous 


iff  it  is  monotonic  with  respect  to  <  and  continuous  on  proposition 
sets,  i.e.  for  any  u— chain 

Ai  <  A2  •  •<  Ai  <  •  •  • , 

each  proposition  of  F  ( (J,  A, )  is  a  proposition  of  U,  F  (  A, ). 

Many  constructions  can  be  introduced  on  quasi-prime  generated 
information  systems  such  as  sum,  product,  lifting,  function  space, 
and  even  quasi-linear  function  space. 

In  the  rest  of  the  section  we  illustrate  that  function  space  — ♦ 
corresponds  to  a  continuous  operation 

CPO2  -h.  COP. 

Other  constructions  can  be  shown,  in  a  similar  way,  to  induce  con¬ 
tinuous  operations  on  CPO. 

The  function  space  construction  is  given  as  follows. 

A  —*  M  =  {Cotia  x  Bq,  ConA^B,\~ a-*b),  where 

X  G  Coua^b  iff  U  *a(X)  G  Con  a  —  (X)  G  Cone , 

X  1~a-*b  (u,6)  iff  W  I  3u'.u  \~a  u'  &  (<*  ,  o')  G  X}  be  b 

Note  that  — >  preserves  quasi-prime  generated  information  sys¬ 
tems.  — *  is  monotonic  in  its  first  argument.  Suppose  A  <!  AL-  Write 

Q  =  (C,Con,\-)  =  {A->B] 

and 

C!_=(C\  Con',  K )  =  \A  -4  B}. 

We  check  condition  4  in  Definition  7.1,  to  show  that  C!_.  However, 
this  is  trivial  because  every  token  of  the  function  space  is  a  quasi- 
prime. 

Let 


be  a  chain  of  quasi-prime  generated  information  systems.  Let  ( u,a ) 
be  a  token  of  [(U»j!i)  M\.  Then  clearly  (u,a)  is  a  token  of 

[Aj  — *  B]  for  some  j,  and  thus  is  a  token  of  IJJA,  — >  H].  i,From 
this  we  can  deduce  that  — ►  is  continuous  in  its  first  argument.  By 
a  similar  but  easier  proof  we  get  that  — *  is  continuous  in  its  second 
argument  hence  it  is  continuous. 

As  an  application,  we  illustrate  how  to  find  a  solution  to  the 
equation 

A  =  Xr  ->  X 

within  quasi-prime  generated  information  systems.  Here  (  )j  is  the 
lifting  construction  specified  as  follows.  Its  use  here  makes  sure  that 
a  non-trivial  solution  is  obtained. 

Let  A  =  ( A,  Con ,  h)  be  a  quasi-prime  generated  information  sys¬ 
tem.  Define  the  lift  of  A  to  be  Aj  =  (  A',  h'  ),  where 

•  A'  =  ({0  }  x  A )  U  {  0  }, 

•  Xh'Y&[0eY  or  {  c  |  (0,  c)  €  X  }  {  6  |  (0,  b)eY}}. 

It  is  easy  to  show  that  lifting  preserves  quasi-prime  generated 
systems.  It  is  an  operation  which,  given  a  structure,  produces  a  new 
one  by  joining  a  new  token  weaker  than  all  the  old  ones.  One  can 
easily  check  that  it  gives  a  continuous  operation. 

Since  the  composition  of  continuous  functions  remains  continu¬ 
ous,  and  any  continuous  function  F(x,y)  of  two  variables  gives  rise 
to  a  continuous  function  F(x ,  x)  of  one  variable,  the  operation 

X  —  [*T  ->  X] 

is  a  continuous  operation  on  quasi-prime  generated  information  sys¬ 
tems.  It  has  a  least  fixed  point 

A  =  At  —>  A. 

This  can  be  used  as  a  model  for  the  un-typed  lambda  calculus. 
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Abstract 

In  this  paper  we  describe  models  of  several  fragments  of  linear 
logic  with  the  exponential  operator  !  (called  OF  course)  in  cate¬ 
gories  of  linear  spaces.  We  model  !  by  the  Fock  space  construction 
in  Banach  (or  Hilbert)  spaces,  a  notion  originally  introduced  in  the 
context  of  quantum  field  theory.  Several  variants  of  this  construc¬ 
tion  are  presented,  and  the  representation  of  Fock  space  as  a  space 
of  holomorphic  functions  is  described.  This  also  suggests  that  the 
“non-linear”  functions  we  arrive  at  via  !  are  not  merely  continuous, 
but  analytic. 
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0  Introduction 

Linear  logic  was  introduced  by  Girard  [G87]  as  a  consequence  of  his  anal¬ 
ysis  of  the  traditional  connectives  of  logic  into  more  primitive  connectives. 
The  resulting  logic  is  more  resource  sensitive;  this  is  achieved  by  placing 
strict  control  over  the  structural  rules  of  contraction  and  weakening,  in¬ 
troducing  a  new  “modal’’  operator  OF  course  (denoted  ! )  to  indicate 
when  a  formula  may  be  used  in  a  resource- insensitive  manner — i.e.  when 
a  resource  is  renewable.  Without  the  !  operator,  the  essence  of  linear 
logic  is  carried  by  the  multiplicative  connectives;  at  its  most  basic  level, 
linear  logic  is  a  logic  of  monoidal-closed  categories  (in  much  the  same  way 
that  intuitionistic  logic  is  a  logic  of  cartesian-closed  categories).  In  mod¬ 
elling  linear  logic,  one  begins  with  a  monoidal-closed  category,  and  then 
adds  appropriate  structure  to  model  linear  logic’s  additional  features.  To 
model  linear  negation,  one  passes  to  the  ^-autonomous  categories  of  Barr 
[B79].  To  model  the  additive  connectives,  one  then  adds  products  and 
coproducts.  Finally,  to  model  the  exponentials,  and  so  regain  the  expres¬ 
sive  strength  of  traditional  logic,  one  adds  a  triple  and  cotriple,  satisfying 
properties  to  be  outlined  below.  This  program  was  first  outlined  by  Seely 
in  [Se89]. 

Linear  logic  bears  strong  resemblance  to  linear  algebra  (from  which  it 
derives  its  name),  but  one  significant  difference  is  the  difficulty  in  mod¬ 
elling  ! .  The  category  of  vector  spaces  over  an  arbitrary  field  is  a  sym¬ 
metric  monoidal  closed  category,  indeed  in  some  sense  the  prototypical 
monoidal  category,  and  as  such  provides  a  model  of  the  intuitionistic  vari¬ 
ant  of  multiplicative  linear  logic.  Furthermore,  this  category  has  finite 
products  and  coproducts  with  which  to  model  the  additive  connectives.  It 
thus  makes  sense  to  look  for  models  of  various  fragments  of  linear  logic  in 
categories  of  vector  spaces.  However,  modelling  the  exponentials  is  more 
problematic.  It  is  the  primary  purpose  of  this  paper  to  present  methods  of 
modelling  exponential  types  in  categories  arising  from  linear  algebra.  We 
study  models  of  the  exponential  connectives  in  categories  of  linear  spaces 
which  have  monoidal  (but  generally  not  monoidal-closed)  structure.  (We 
shall  also  include  a  model  in  finite-dimensional  vector  spaces.) 

To  model  the  finer  distinctions  achieved  by  linear  logic,  one  ought  to 
consider  vector  spaces  enriched  with  appropriate  additional  structure.  For 
example,  to  model  linear  negation,  one  considers  vector  spaces  enriched 
with  an  additional  topological  structure.  These  are  the  linear  topologies 
of  Lefschetz  and  Barr  (Le41,  B76aj.  The  relationship  to  linear  logic  is 
discussed  in  [B193a],  To  model  the  noncommutative  [Ab91]  or  braided 
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[B193b]  variants  of  linear  logic,  one  considers  the  linear  representations 
of  certain  Hopf  algebras  [B193a).  Finally,  to  model  the  exponentials,  it  is 
necessary  to  consider  normed  vector  spaces. 

Vector  spaces  are  inherently  finitary  structures  in  the  sense  that  every 
vector  is  a  finite  sum  of  multiples  of  basis  vectors,  and  one  is  allowed  only 
to  take  finite  sums  of  vectors.  To  model  the  notion  of  infinitely  renewable 
resources,  one  would  like  to  be  able  to  take  infinite  sums  of  vectors.  But  to 
do  this,  one  needs  a  notion  of  convergence,  and  to  define  convergence  one 
needs  a  notion  of  topology.  The  most  heavily  studied  topological  vector 
spaces  are  Hilbert  and  Banach  spaces  which  derive  their  topologies  from  a 
norm;  either  defined  indirectly  via  an  inner  product,  as  in  Hilbert  spaces, 
or  directly,  as  in  Banach  spaces.  Once  a  vector  space  is  normed,  then  all 
of  the  familiar  notions  from  analysis,  such  as  limit  and  Cauchy  sequence 
can  be  defined.  What  we  wish  to  suggest  in  this  paper  is  that  while  the 
multiplicative  and  additive  fragment  MALL  of  linear  logic  corresponds  to 
the  linear  structure  of  a  vector  space,  the  exponentials  correspond  to  its 
analytic  structure. 

We  begin  by  introducing  the  two  main  notions  of  complete  normed 
vector  space,  Banach  spaces  and  Hilbert  spaces.  The  construction  which 
will  be  used  to  model  the  exponential  formulas  !  A  arose  originally  in 
quantum  field  theory,  and  is  known  as  Fock  space.  It  was  designed  as 
a  framework  in  which  to  consider  many  particle  states.  The  key  point 
of  departure  for  quantum  field  theory  was  the  realization  that  so-called 
“elementary”  particles  are  created  and  destroyed  in  physical  processes 
and  that  the  mathematical  formalism  of  ordinary  quantum  mechanics 
needs  to  be  revised  to  take  this  into  account.  The  physical  intuitions 
behind  the  Fock  construction  will  be  sketched  in  the  penultimate  section. 
The  formula  for  Fock  space  will  also  be  familiar  to  mathematicians  in 
that  it  corresponds  to  the  free  symmetric  algebra  on  a  space.  As  a  free 
construction,  Fock  induces  a  pair  of  adjoint  functors,  and  hence  a  cotriple. 
It  is  this  cotriple  which  will  be  used  to  model  ! .  It  should  be  noted 
that  this  category  of  algebras  inherits  the  monoidal  structure  from  the 
underlying  category  of  spaces  but  there  is  no  hope  that  this  category 
could  have  a  monoidal- closed  structure. 

While  Fock  space  has  an  abstract  representation  in  terms  of  an  infinite 
direct  sum,  physicists  such  as  Ashtekar,  Bargmann,  Segal  and  others, 
see  [AM-A80,  Ba61,  S62]  have  analyzed  concrete  representations  of  Fock 
space  as  certain  classes  of  holomorphic  functions  on  the  base  space.  Thus, 
these  models  further  the  intuition  that  the  exponentials  correspond  to 
the  analytic  properties  of  the  space.  In  fact,  there  is  a  clear  sense  in 
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which  morphisms  in  the  Kliesli  category  for  the  cotriple  can  be  viewed 
as  generalized  holomorphic  functions.  Thus,  there  should  be  an  analogy 
to  coherence  spaces  where  the  Kliesli  category  corresponds  to  the  stable 
maps. 

Fock  space  also  has  two  additional  features  which  correspond  to  ad¬ 
ditional  structure,  not  expressible  in  the  syntax  of  linear  logic.  These 
are  the  annihilation  and  creation  operators,  which  are  used  to  model  the 
annihilation  and  creation  of  particles  in  a  field.  These  may  give  a  tighter 
control  of  resources  not  expressible  in  the  pure  linear  logic.  Thus,  these 
models  may  be  closer  to  the  bounded  linear  logic  of  Girard,  Scedrov  and 
Scott  [GSS91]. 

The  results  of  this  paper  suggest  that  analyticity  may  provide  new 
insights  into  computability  not  captured  by  the  traditional  notions  of 
continuity.  Continuity  has  been  enormously  successful  in  capturing  the 
idea  that  computable  functions  process  information  a  finite  piece  at  a 
time.  On  the  other  hand,  there  are  many  continuous  functions  that  are 
not  computable.  Despite  the  tremendous  clarifications  brought  about  by 
Scott’s  ideas,  a  precise  characterization  of  computability  still  appeals  to 
notions  of  encoding  from  classical  recursion  theory.  With  the  notion  of 
analytic  function  one  has  the  notion  of  convergent  power  series  which 
represents  the  function.  This  is  nothing  more  than  an  encoding  of  a 
continuous  function  with  a  discrete  string.  Thus  the  notion  of  encoding 
may  be  captured  by  analyticity.  Of  course,  we  are  far  from  offering  any 
such  theory  yet. 

Another  possible  application  of  this  work  is  that  the  refined  connec¬ 
tives  of  linear  logic  may  lend  insight  into  certain  aspects  of  quantum  field 
theory.  For  example,  there  are  two  distinct  methods  of  combining  par¬ 
ticle  states.  One  can  superimpose  two  states  onto  a  single  particle,  or 
one  can  have  two  particles  coexisting.  The  former  seems  to  correspond  to 
additive  conjunction  and  the  latter  to  the  multiplicative.  This  physical 
imagery  is  missing  in  quantum  mechanics,  which  was  specially  designed 
to  handle  a  single  particle;  it  only  shows  up  in  quantum  field  theory. 

In  this  paper,  we  begin  by  reviewing  the  categorical  structure  neces¬ 
sary  to  model  linear  logic,  and  specifically  exponential  types.  We  then 
give  the  relevant  definitions  pertaining  to  normed  vector  spaces,  as  well 
as  a  number  of  examples.  We  also  discuss  the  monoidal  structure  of  these 
categories.  Then,  the  various  ingredients  which  go  into  the  construction 
of  Fock  space  are  presented  and  the  resulting  adjointness  is  described.  Fi¬ 
nally,  the  holomorphic  function  representation  of  Fock  space  is  presented, 
and  a  brief  description  of  its  physical  interpretation  is  given. 


1  Linear  Logic  and  Monoidal  Categories 

We  shall  begin  with  a  few  preliminaries  concerning  linear  logic.  We  shall 
not  reproduce  the  formal  syntax  of  linear  logic,  nor  the  usual  discussion  of 
its  intuitive  interpretation  or  utility — for  this  the  reader  is  referred  to  the 
standard  references,  such  as  [G87] .  We  do  recall  [Se89]  that  a  categorical 
semantics  for  linear  logic  may  be  based  on  Barr’s  notion  of  *- autonomous 
categories  [B79|.  If  only  to  establish  notation,  here  is  the  definition. 

Definition  1  A  category  C  is  *- autonomous  if  it  satisfies  the  following: 

1.  C  is  symmetric  monoidal  closed;  that  is,  C  has  a  tensor  product 
A®  B  and  an  internal  horn  A  -o  B  which  is  adjoint  to  the  tensor 
in  the  second  variable 

Hom(A  ®  B,C)  =  Hom(  B,  A  -o  C) 

2.  C  has  a  dualizing  object  _L;  that  is,  the  functor  (  )x:Cop  — *  C 
defined  by  A1  =  A  -o  ±  is  an  involution  ( viz.  the  canonical  mor¬ 
phism  A  — *■  ((A  -o  -L)  -o  L)  is  an  isomorphism). 

In  addition  various  coherence  conditions  must  hold— a  good  account  of 
these  may  be  found  in  [M-OM89].  Coherence  theorems  may  be  found 
in  [BCST,  B191,  B192].  An  equivalent  characterization  of  ^-autonomous 
categories  is  given  in  [CS91],  based  on  the  notion  of  weakly  distributive 
categories.  That  characterization  is  useful  in  contexts  where  it  is  easier 
to  see  how  to  model  the  tensor  ®,  the  “par”  ^  and  linear  negation,  and 
the  coherence  conditions  may  be  expressed  in  terms  of  those  operations. 

The  structure  of  a  ^-autonomous  category  models  the  evident  epony¬ 
mous  structure  of  linear  logic:  the  categorical  tensor  <g>  is  the  linear  mul¬ 
tiplicative  ®  and  the  internal  horn  ~o  is  linear  implication.  The  dualizing 
object  J_  is  the  unit  for  linear  “par”  ??.  or  equivalently,  is  the  dual  of  the 
unit  I  for  the  tensor1. 

There  are  a  number  of  variants  of  linear  logic  whose  categorical  seman¬ 
tics  is  based  on  this.  First  is  full  “classical”  linear  logic,  which  includes 
the  additive  operations.  These  correspond  to  requiring  that  the  category 

*In  other  papers  we  have  used  the  notation  T  for  the  unit  for  ®,  and  ©  instead  of 
*1 .  Here  we  shall  try  to  avoid  controversy  by  using  notation  traditional  in  the  context 
of  Banach  spaces,  and  by  generally  ignoring  the  “par”.  So  in  this  paper,  ©  means 
direct  sum,  which  coincides  with  Girard’s  notation.  We  use  x  for  cartesian  product, 
corresponding  to  Girard’s  &.  And  we  shall  use  the  usual  notation  for  the  appropriate 
spaces  when  referring  to  the  units. 


479 


C  have  products  and  coproducts.  (If  C  is  ^-autonomous,  one  of  these  will 
imply  the  other  by  de  Morgan  duality.)  There  is  also  Girard’s  notion 
of  “intuitionistic”  linear  logic  [GL87],  which  omits  linear  negation  and 
“par” — this  corresponds  to  merely  requiring  that  C  be  autonomous,  that 
is  to  say,  symmetric  monoidal  closed  (with  or  without  products  and  co¬ 
products,  depending  on  whether  or  not  the  additives  are  wanted).  There 
is  an  intermediate  notion,  “full  intuitionistic  linear  logic”  due  to  de  Paiva 
[dP89],  in  which  the  morphism  A  — *  A"LX  need  not  be  an  isomorphism. 
And  as  mentioned  above,  there  is  the  notion  of  weakly  distributive  cate¬ 
gory  [CS91,  BCST],  where  negation  and  internal  horn  are  not  required. 

One  classically  important  class  of  ^-autonomous  categories  are  the 
compact  categories  [KL80]  where  the  tensor  is  self-dual:  (A  ®  J3)x  = 
A1 2  ®  B1.  Linear  logicians  often  regard  with  derision  those  models  in 
which  “tensor”  and  “par”  coincide,  but  from  some  mathematical  points 
of  view  these  are  very  natural. 

In  this  paper  we  shall  model  various  fragments  of  linear  logic;  we 
shall  describe  the  fragments  in  terms  of  the  categorical  structure  present, 
without  explicitly  identifying  the  fragments. 

Finally,  in  order  to  be  able  to  recapture  the  full  strength  of  classical 
(or  intuitionistic)  logic,  one  must  add  the  “exponential”  !  (and  its  de 
Morgan  dual  ? ).  (All  our  structures  will  model  ! .)  We  saw  in  [Se89] 
that  this  amounts  to  the  following. 

Definition  2  A  monoidal  category  C  with  finite  products  admits  (Girard) 
storage  if  there  is  a  cotriple  !  :C  — -  C  (with  the  usual  structure  maps 

C a 

A  < —  !  A  — ►  !!  A ),  satisfying  the  following: 

1.  for  each  object  A  €  C,  !  A  carries  (naturally)  the  structure  of  a 

eA  d A 

(cocommutative)  ®  -comonoid  T  <- — -  !A — >  !A®  l  A  (and  the 
coalgebra  maps  are  comonoid  maps),  and 

2.  there  are  natural  comonoidal  isomorphisms 

I  — ►  !  1  and  !  A  ©  !  B  —  \(A  x  B)  . 

Some  remarks:  First,  it  is  not  hard  to  see  that  the  first  condition  above 
is  redundant,  the  comonoidal  structure  on  !  A  being  induced  by  the  iso¬ 
morphisms  of  the  second  condition.  However,  the  first  condition  is  really 
the  key  point  here,  as  may  be  seen  from  several  generalizations  of  this  def¬ 
inition,  to  the  intuitionistic  case  without  finite  products  in  [BBPH],  and 
to  the  weakly  distributive  case,  again  without  finite  products,  [BCS93]. 
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The  main  point  here  is  that  without  products  one  replaces  the  second 
condition  with  the  requirement  that  the  cotriple  !  (and  the  natural  trans¬ 
formations  c,£)  be  comonoidal.  And  second,  one  ought  not  drown  in  the 
categorical  terminology — terms  like  “comonoidal”  in  essence  refer  to  var¬ 
ious  coherence  (or  commutativity)  conditions  which  may  be  looked  up 
when  needed.  Readers  not  interested  in  coherence  questions  can  follow 
the  discussion  by  just  noting  the  existence  of  appropriate  maps,  and  be¬ 
lieve  that  all  the  “right”  diagrams  will  commute.  They  can  regard  it  as 
somebody  else’s  business  to  ensure  that  this  is  indeed  the  case. 

In  the  mid- 1980’s,  Girard  studied  coherence  spaces  as  a  model  of  sys¬ 
tem  F,  and  realized  the  following  fact,  which  led  directly  to  the  creation  of 
linear  logic.  Of  course  Girard  did  not  put  the  matter  in  these  categorical 
terms  at  the  time,  but  the  essential  content  remains  the  same — ordinary 
implication  factors  through  linear  implication  via  the  cotriple  !  .  (An¬ 
other  way  of  expressing  this  is  to  say  that  a  model  of  full  classical  linear 
logic  induces  an  interpretation  of  the  typed  A-calculus.) 

Theorem  1  If  C  is  a  * -autonomous  category  with  finite  products  admit¬ 
ting  Girard  storage  !  ,  then  the  Kleisli  category  C ;  is  cartesian  closed. 

This  result  is  virtually  folklore,  but  a  proof  may  be  found  in  [Se89]. 

One  of  the  problems  with  finding  models  of  linear  logic  comes  from 
the  difficulty  of  finding  well-behaved  (in  the  above  sense)  cotriples  on 
♦-autonomous  categories.  For  example,  one  of  the  main  problems  with 
vector  spaces  as  a  model  of  linear  logic  is  the  lack  of  any  natural  interpre¬ 
tation  of  ! .  (We  shall  soon  return  to  this  point,  and  indeed,  in  a  sense 
this  is  the  main  point  of  this  paper.)  This  question  seems  closely  bound 
up  with  questions  of  completeness.  Barr  [B91]  has  shown  how  in  certain 
cases  one  can  get  appropriate  cotriples  (via  cofree  coalgebras)  from  a  sub¬ 
category  of  the  Chu  construction  [B79].  One  case  where  this  route  works 
out  fairly  naturally  is  if  the  *-autonomous  category  is  compact:  in  that 
case,  one  can  construct  cofree  coalgebras  by  the  familiar  formula 

!  A  =  T  x  A  x  (A  <gis  A)  x  (A  ©s  A  ®s  A)  x  •  •  • 

(where  the  tensors  ®s  are  the  symmetric  tensor  powers).  We  shall  see  an 
echo  of  this  construction  in  the  Fock  space  construction  below. 

2  Normed  Vector  Spaces 

As  discussed  in  the  introduction,  we  will  be  primarily  working  in  normed 
vector  spaces.  Normed  spaces  seem  necessary  to  capture  correctly  the 


I 


481 

intuition  behind  Girard’s  exponentials.  Vector  spaces  are,  in  some  sense, 
intrinsically  finitary  structures.  Every  vector  is  a  finite  sum  of  multiples 
of  basis  vectors,  and  one  is  only  allowed  to  take  finite  sums  of  arbitrary 
vectors.  It  seems  likely  that  to  correctly  model  !  and  ?  ,  one  should 
be  able  to  take  infinite  sums  of  vectors,  thereby  capturing  the  idea  of 
infinitely  renewable  resource.  However,  to  do  this,  one  needs  a  notion 
of  convergence.  And  to  define  convergence,  one  needs  a  notion  of  norm. 
Once  a  space  is  normed,  then  it  is  possible  to  define  limits  and  Cauchy 
sequences,  and  so  on.  Normed  vector  spaces,  which  are  the  principal  ob- 
.  jects  of  study  in  functional  analysis,  should  be  considered  as  the  meeting 

ground  of  concepts  from  linear  algebra  and  analysis.  They  are  also  an 
ideal  place  to  model  linear  logic. 

We  will  now  briefly  review  the  basic  concepts  of  the  subject.  For  more 
complete  discussions,  see  [KR83,  C90,  CLM79]. 

Henceforth  all  vector  spaces  are  assumed  to  be  over  the  complex  num¬ 
bers  and  are  allowed  to  be  infinite-dimensional.  We  will  use  Greek  letters 
for  complex  numbers  and  lower-case  Latin  letters  from  the  end  of  the 
alphabet  for  vectors. 

Definition  3  A  norm  on  a  vector  space  V  is  a  function,  usually  written 
||  ||,  from  V  to  R,  the  real  numbers,  which  satisfies 

1.  ||  v  ||  >  0  for  all  v  eV, 

'■  2.  ||  v  ||  =  0  iff  v  =  0, 

3.  ||  an  ||  =  |  a  |||  v  ||, 

,  4-  II  v  +  w  ||  <  ||  V  ||  +  ||  w  ||. 

For  finite  dimensional  vector  spaces  the  norm  usually  used  is  the  fa¬ 
miliar  Euclidean  norm.  As  soon  as  one  has  a  norm  one  obtains  a  metric 
by  the  equation  d(u,v )  =  ||  u  —  v  ||.  One  can  ask  whether  the  resulting 
space  is  complete  or  not  as  a  metric  space.  It  turns  out  that  the  spaces 
that  are  complete  play  a  central  role  in  functional  analysis. 

2.1  Banach  Spaces 

Definition  4  A  Banach  space  is  a  complete,  normed  vector  space. 

Example  1  Consider  the  space  of  sequences  of  complex  numbers.  We 
write  a  for  such  a  sequence,  a  =  and  we  write  ||  a  ||oo  for  the 

supremum  of  the  |  a,  |. 


/oo  —  {ft  •  ||  (l  <  Do} 


t 
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This  is  a  Banach  space  with  ||  a  ||oo  as  the  norm. 

Another  norm  is  obtained  on  sequences  as  follows.  Define: 


a||1  =  S~1|a,-| 


Then  let: 


/i  =  {a  :  ||  a  ||j  <  00} 

More  generally,  if  p  >  0,  we  may  define: 

‘r  =  {“  =  II  «  lip  =  (S“  ,|  a  f)'l”  <  00} 

All  of  these  will  be  examples  of  Banach  spaces.  Furthermore,  these  can 
be  defined  not  only  for  sequences  of  complex  numbers,  but  for  sequences 
obtained  from  any  Banach  space. 

Example  2  Let  X  be  a  compact  Hausdorff  space.  The  vector  space  of 
complex- valued  continuous  functions  on  X  is  generally  denoted  C(X). 
Since  X  is  compact,  such  functions  must  have  a  supremum,  and  from 
this  it  is  straightforward  to  obtain  a  norm.  Now  convergence  in  this 
norm  is  the  familiar  notion  of  uniform  convergence.  As  is  well  known 
from  elementary  analysis,  sequences  of  uniformly  bounded,  continuous 
functions  converge  to  a  bounded  continuous  function.  Thus,  we  have  a 
Banach  space.  On  the  other  hand  if  we  looked  at  functions  that  vanish 
outside  some  closed,  bounded  interval  (the  functions  of  compact  support) 
then  we  do  not  get  a  Banach  space  since  these  could  converge  to  a  function 
that  does  not  have  compact  support. 

The  following  theorem  shows  one  common  way  in  which  Banach  spaces 
arise.  First  we  need  a  definition. 

Definition  5  Suppose  that  B\ ,  B2  are  Banach  spaces  and  that  T  is  a 

linear  map  from  Bi  to  i?2-  We  say  that  T  is  bounded  if 

exists.  We  define  the  norm  of  T,  written  ||  T  ||  ,  to  be  this  number. 

If  T  is  indeed  bounded,  then  a  standard  argument  [KR83],  establishes 
Lemma  2  sup|W|=1||  Tx  ||  =  ||  T  ||. 

Thus  one  can  use  vectors  of  unit  norm  to  calculate  the  norm  of  a  linear 
function  rather  than  having  to  look  for  the  sup  over  all  nonzero  vectors. 


1 


! 
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Linear  maps  from  a  Banach  space  to  itself  are  traditionally  called  opera¬ 
tors,  and  the  norm  of  such  maps  is  called  the  operator  norm. 

Since  a  Banach  space  is  also  a  metric  space  under  the  induced  metric 
described  above,  one  can  also  ask  to  characterize  which  linear  maps  are 
also  continuous.  In  this  regard,  we  have  the  following  result. 

Lemma  3  A  linear  map  from  f  :  A  —*•  B  is  continuous  if  and  only  if  it 
is  bounded. 

The  following  theorem  shows  that  the  category  of  Banach  spaces  and 
bounded  linear  maps  is  enriched  over  itself. 

Theorem  4  If  A  is  a  normed  vector  space  and  B  is  a  Banach  space  then 
the  space  of  bounded  linear  maps  with  the  norm  above  is  a  Banach  space. 

We  will  denote  this  space  A  -o  B. 

There  are  several  possible  categories  of  interest  with  Banach  spaces 
as  the  objects.  The  most  obvious  one  is  the  category  with  bounded  linear 
maps  as  the  morphisms.  However,  it  turns  out  that  the  category  with  con¬ 
tractive  maps 2  is  of  greater  interest  and  has  nicer  categorical  properties. 
These  properties  are  discussed  in  [B76a]  and  below. 

Definition  6  A  contractive  map,  T,  from  A  to  B  is  a  bounded  linear 
map  satisfying  the  condition,  ||  Tx  ||  <  ||  x  ||.  Equivalently,  the  contrac¬ 
tive  maps  are  those  of  norm  less  than  or  equal  to  1. 

We  will  write  BANCO  AT  for  the  category  of  Banach  spaces  and  contrac¬ 
tive  maps  and  BAN  A  CH  for  the  category  of  Banach  spaces  and  bounded 
linear  maps.  While  BANCON  has  a  richer  categorical  structure,  for  the 
purposes  of  modelling  the  exponential  types  of  linear  logic,  we  will  be 
forced  to  work  in  BANACH. 

2.2  Monoidal  Structure  of  BANACH 

We  first  point  out  that  BANACH  has  a  canonical  symmetric  monoidal 
closed  structure.  We  begin  by  constructing  a  tensor  product.  Let  A  and 
B  be  objects  in  BANACH.  Begin  by  forming  the  tensor  of  A  and  B, 
A  (%)q  B,  as  complex  vector  spaces.  We  first  define  a  partial  norm  for 
elements  of  the  form  a  ®  6  by  the  equation: 

||  o®6  ||  =  ||  «  llll  6  II 

2Strictly  speaking,  they  should  be  called  “non-expansive”  maps. 
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We  would  like  to  extend  this  partial  norm  to  a  norm  on  all  of  A®£  B. 
Such  a  norm  is  called  a  cross  norm.  It  turns  out  that  there  are  many 
such  cross  norms,  a  number  of  which  were  discovered  by  Grothendieck. 
The  one  we  will  use  in  this  paper  is  called  the  projective  cross  norm.  It 
is  in  some  sense  the  least  such.  A  detailed  discussion  of  these  issues  is 
contained  in  [T79].  The  projective  cross  norm  is  defined  for  an  arbitrary 
element,  x,  of  A  B  by  the  following  formula: 

||  x  ||  =  in/{||  a  mi  b  ||  such  that  x  =  Ea  ©  6} 

One  can  verify  that  this  is  in  fact  a  cross  norm  on  A  ®q  B.  Now,  the 
resulting  normed  space  will  not  be  complete  in  general,  so  one  obtains  a 
Banach  space  by  completing  it.  This  will  act  as  the  tensor  product  in  the 
category  BAAfACH.  It  will  be  denoted  simply  by  A  ©  B.  Furthermore, 
we  have  the  following  adjunction  in  BAAfACH. 

Lemma  5  The  functor  B  0  (  )  is  left  adjoint  to  B  - o  (  ). 

Corollary  6  BAAfACH  is  a  symmetric  monoidal  closed  category. 

Analogously,  BAAfCOAf  is  also  a  monoidal  closed  category.  Note  that 
although  one  only  uses  contractive  maps  in  this  category,  the  internal  horn 
is  still  given  by  all  bounded  linear  maps. 

As  such,  they  are  models  of  (at  least)  the  multiplicative  fragment 
of  intuitionistic  linear  logic.  To  obtain  a  model  of  the  classical  linear 
logic,  one  possibility  is  the  topological  construction  of  Barr  in  [B76a], 
See  also  [B193a].  The  idea  is  to  add  an  additional  topological  structure  to 
the  space,  and  then  only  consider  maps  which  are  also  continuous  with 
respect  to  this  topology.  If  the  topology  is  chosen  carefully,  one  obtains  a 
large  class  of  reflexive  objects,  i.e.  objects  which  are  isomorphic  to  their 
double  dual  space.  Such  objects  can  be  used  to  model  the  negation  of 
classical  linear  logic. 

2.3  Completeness  Properties  of  BAAfCOAf  and  BAAfACH 

The  main  advantage  of  studying  the  category  of  contractions  is  in  its 
completeness  properties.  While  BAAfACH  has  very  weak  completeness 
properties,  BAAfCOAf  is  complete  and  cocomplete.  These  constructions 
exist  in  BAAfA  CH  but  some  lose  the  universal  property.  We  will  describe 
some  of  these  universal  properties.  We  begin  with  finite  coproducts. 

Definition  7  Let  A  and  B  be  Banach  spaces.  The  direct  sum,  A  ©  B,  is 
the  Cartesian  product  equipped  with  the  norm  ||  a  ©  b  ||  =  ||  a  ||  4-  ||  b  ||. 
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Then  we  have  the  distributivity  property  of  ®  over  ©. 

Proposition  7  A  ®  (B  ©  B')  =*  (A  ®  B)  ©  (A  0  B'). 

We  now  discuss  finite  products. 

’  Definition  8  The  product  of  two  Banach  spaces,  A  x  B,  has  as  its  un¬ 

derlying  space  A®  B,  but  now  with  norm  given  by: 

||  a®b  ||  =  maa-{||  a  ||,||  b  ||} 

As  a  category  of  vector  spaces.  BAMCOM  is  fairly  unique  in  this 
respect.  While  most  such  categories  model  the  additive  fragment  of  linear 
logic,  they  invariably  equate  the  two  connectives,  since  finite  products 
and  coproducts  coincide.  In  other  words,  BAMCOA'  does  not  share  the 
familiar  property  of  being  an  additive  category. 

We  now  present  countably  infinite  products  and  coproducts. 

» 

Definition  9  Let  be  a  sequence  of  Banach  spaces.  Define  II(A,) 

to  be  those  sequences  which  converge  in  the  norm.  i.e.  bounded  se¬ 
quences  equipped  with  the  obvious  norm. 

Define  £(A,)  to  be  all  sequences  which  converge  in  the  lx  norm. 

This  gives  countable  products  and  coproducts  in  BAMCOM .  Similar 
constructions  can  be  applied  for  uncountable  products  and  coproducts. 

Equalizers  in  BAM  COM  correspond  to  equalizers  in  the  underlying 
category  of  vector  spaces.  The  fact  that  bounded  maps  are  continuous 
i  implies  that  the  subspace  will  be  complete.  Coequalizers  are  obtained  as 

a  quotient,  with  the  induced  norm  being  the  infimum  of  the  norms  of  the 
elements  of  the  equivalence  class.  See  [C'90j  for  a  discussion  of  quotients 
of  Banach  spaces. 

Theorem  1  BAM  COM  is  complete  and  cocomplete. 

All  of  the  above  constructions  exist  in  BAMACH ,  but  some  of  them 
will  lose  their  universal  property.  BAMACH  is  an  additive  category, 
with  sums  and  products  given  by  the  coproducts  in  BAMCOM .  (Note 
that  the  two  spaces  A  x  B  and  A  ©  B  are  isomorphic  in  BAMACH , 
but  not  in  BAMCOM .)  In  BAMACH ,  the  above  infinite  products  and 
coproducts  exist,  but  do  not  share  the  universal  property.  They  only  have 
this  property  for  bounded  families  of  maps.  Equalizers  and  coequalizers 
are  as  in  BAMCOM . 
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2.4  Hilbert  Spaces 

An  alternate  approach  to  defining  a  norm  on  a  vector  space  is  via  an  inner 
product.  An  inner  product  has  the  property  that  it  induces  a  norm  on 
the  underlying  space. 

Definition  10  Given  a  complex  vector  space,  V,  an  inner  product  for 
V  is  a  function  from  V  x  V  to  the  complex  numbers  which  is  conjugate 
linear  in  its  first  argument  and  linear  in  its  second  argument.  This  is 
written  (u|v). 

Furthermore,  an  inner  product  must  have  the  folloiving  properties. 

•  >  o 

•  (*|y)  =  <2/|z) 

•  if  (ar|a:)  =  0,  then  x=0 

Here,  z  refers  to  complex  conjugation.  Real  Hilbert  spaces  are  defined 
analogously,  with  conjugation  being  taken  to  be  the  identity. 

Given  an  inner  product  we  immediately  get  a  norm  by  ||  x  ||  =  ((arlz))1/2. 
As  with  Banach  space  what  turns  out  to  be  crucial  is  the  property  of 
being  complete. 

Definition  11  A  Hilbert  space  is  a  vector  space  equipped  with  an  inner 
product  such  that  the  vector  space  is  complete  in  the  induced  norm. 

Example  3  The  space  I2  of  all  sequences  of  complex  numbers  such  that: 

E£il  «,•  !2  <  00 

One  defines  an  inner  product  by: 

(*l»)  =  Sgj-T.yr 

Every  finite  dimensional  complex  vector  space  is  a  Hilbert  space  with 
the  usual  inner  product. 

The  category  of  Hilbert  spaces  and  bounded  linear  maps  will  be  de¬ 
noted  by  HICBS1ZT.  This  category  has  a  tensor  product  which  can  be 
constructed  in  a  manner  analogous  to  the  construction  for  Banach  spaces. 
HICBS'R.T  also  has  finite  products  and  coproducts,  in  both  cases  these 
are  given  by  direct  sum,  with  the  evident  inner  product.  H1CBSTZT  does 
not  have  very  many  infinite  limits  or  colimits. 


3  Symmetric  and  Antisymmetric  Tensors 

We  introduce  two  further  constructions  in  the  category  BANACH.  These 
will  be  quotients  of  the  tensor  product.  Since  the  category  has  coequal¬ 
izers  such  quotients  will  be  well-defined. 

3.1  Symmetric  Tensor  Products 

First,  we  introduce  the  symmetric  tensor  product  of  a  Banach  space  with 
itself. 

Definition  12  Let  A  be  a  Banach  space.  The  Banach  space  ^®4/l  is 
defined  to  be  the  following  coequalizer: 

id 

A  ®  A  l  A  ©  A  — -  A  ®s  A 

T 

Note  that  r  is  the  twist  map,  a  ®  b  >-*  b  ©  a. 

This  is  the  general  definition  of  symmetrized  tensor.  It  turns  out  that 
in  categories  of  vector  spaces,  this  quotient  is  canonically  isomorphic  to 
the  equalizer  of  these  two  maps,  and  that  this  equalizer  is  split  by  the 
map: 

a  ®  b  !-»■  -(a  ®  6  +  6  ®  a) 

We  will  frequently  use  this  representation  in  the  sequel. 

The  nth  symmetric  power  is  defined  analogously.  The  Banach  space 
<8 )nA  has  n!  canonical  endomorphisms,  and  the  Banach  space  ($$>5  is  the 
coequalizer  of  all  of  these.  Again,  it  is  isomorphic  to  the  equalizer,  and 
there  is  a  splitting,  as  above.  A  good  way  to  view  the  symmetrized  tensor 
is  to  observe  that  the  symmetric  group  acts  on  the  space  (g)n  A,  and  that 
the  symmetrized  tensor  is  the  invariant  subspace.  As  such,  an  appropriate 
notation  for  the  symmetrized  tensor  is: 

®nA 

n\ 

We  will  also  freely  use  this  representation,  as  well. 

3.2  Antisymmetric  Tensor  Products 

This  will  be  defined  in  a  similar  fashion.  Again,  we  first  define  the  an¬ 
tisymmetric  tensor  of  a  Banach  space  B  with  itself.  It  will  be  denoted 
B  B.  It  is  the  coequalizer  of  the  following  diagram: 
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id 

B®  B - *  B®  B  — >  B  ®a  B 

—  T 

Here,  — r  is  the  map  a  ®  b  -b®  a. 

Members  of  this  space  can  canonically  viewed  as  elements  of  the  or¬ 
dinary  tensor  product,  of  the  form: 

x=a®b-b® a 

The  nth  antisymmetric  power  is  defined  analogously. 


4  Fock  space  and  categories  of  algebras 

4.1  Fock  space 

We  are  now  ready  to  define  the  Fock  spaces.  They  are  traditionally 
defined  in  HTCBCRT ;  we  will,  however,  define  them  in  BANACH. 

Definition  13  Let  B  be  a  Banach  space.  The  symmetric  Fock  space 
of  B  is  the  infinite  direct  sum  of  the  spaces  (g>"  B,  where,  when  n  is  zero 
we  use  the  complex  numbers.  The  antisymmetric  Fock  sf  .ce  of  B  is 
the  infinite  direct  sum  of  the  spaces  B. 

F(B)  =  C  ®  B  ®  ■  ■  ■  &  ®nsB  ®  ■  ■  ■ 

Ta(B)  =  C  ©  B  ©  •  •  •  ©  <g>^£  ©  •  •  • 

Since  Fock  is  defined  using  infinite  direct  sums  and  coequalizers  it  is  clear 
that  Fock  defines  a  functor. 

We  can  think  of  an  element  of  F(B)  as  an  infinite  sequence  (c,  vj,  V2,  ■  . .) 
where  c  is  a  complex  number  and  v,  €  . 

Now  we  check  that  the  Fock  space  actually  satisfies  all  the  properties 
that  need  to  be  satisfied  by  an  OF  course  type,  i.e.  satisfies  the  proper¬ 
ties  of  [Se89],  discussed  in  Section  1.  This  consists  of  two  parts,  verifying 
that  Fock  spaces  form  a  cotriple  on  the  category  of  Banach  algebras  and 
verifying  the  so-called  exponential  law,  viz.  !  {A  x  B)  =  !  A  ®  IB.  We 
check  the  former  by  displaying  a  suitable  adjunction  in  the  next  subsec¬ 
tion. 

Proposition  8  Let  A  and  B  be  Banach  spaces. 

F(AxB)  9f  F(A)®F(B). 


I 


489 

Here  the  product  is  what  is  called  the  direct  sum  by  analysts.  The  iso¬ 
morphism  is  in  the  category  BANACH. 

Proof-  We  need  to  exhibit  maps  in  both  directions  and  show  that  all  the 
conditions  required  for  an  isomorphism  are  satisfied.  The  isomorphism  is 
based  on  the  following  “formal  calculation”. 

T(A  x  B)  =  ?(A  ©  B) 

=  C®(A®  B)®a(A®  B))--- 

=  C  ®  A®  B  ®\(A®S  A)®\(B®,  B)®(AQs  £)••• 

=  f(A)®f(B). 

The  rigorous  argument  is  as  follows.  We  call  an  element  of  T{B)  a  pure 
tensor  if  it  is  of  the  form  {0,0,...,  v,  0, 0, . . .)  and  a  finite-rank  tensor  if 
it  is  of  the  form  (wo>  t>i, . . . ,  vn,  0, 0, . . .);  i.e.  zero  after  some  finite  stage. 
Now  the  pure  tensors  form  a  basis  for  !F(B).  In  order  to  define  the  iso 
from  T(A  x  B )  to  T(A)  ©  if(B)  we  need  only  specify  the  map  on  the 
pure  tensors.  A  pure  tensor,  p ,  in  T(A  x  B)  looks  like  p  =  Ea,‘i  ©  . . .®  xn 
where  x,  =  ?/,  2,,  j/,  €  A,  2,  €  B.  Using  distributivity  of  ®  over  -f  we 

have 

P  =  £{(yi  +  Zi)  ®  . . .  ®  (j/n  +  *n)] 

=  ..®yn  +  -  ■  0-  •  .®2i,)  +  .  ..+2!®.  .  .®2„] 

The  last  expression  is  a  sum  of  elements  of  T{A)  ©  T{B).  The  iso  in 
the  other  direction  is  obtained  by  viewing  the  pure  elements  of  if  (A)  and 
T(B)  as  polynomials  and  carrying  out  polynomial  multiplication.  | 

The  units  are  easily  identified. 

Lemma  9  The  complex  numbers,  C,  viewed  as  a  Banach  space  form  a 
unit  for  tensor  product.  The  one  point  space,  written  0,  is  the  unit  for 
the  direct  sum. 

The  effect  of  T  on  the  units  is  given  below.  The  proofs  are  immediate 
from  the  definitions.  Equality  means  isomorphism  in  BANACH. 

Lemma  10  1.  ^(0)  =  C. 

2.  ^(C)  =  lx. 

Proof  -  The  proof  of  the  first  assertion  is  immediate.  For  the  second 
assertion,  note  that,  since  C  is  the  unit  for  tensor  all  the  terms  in  the 
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infinite  direct  sum  are  just  C.  Thus  we  have  infinite  sequences  of  members 
of  C  with  the  same  convergence  criterion  as  for  l\ .  | 

This  lemma  shows  that  one  cannot  use  this  construction  in  categories 
of  finite-dimensional  spaces. 

Now  we  consider  the  antisymmetrized  Fock  space3.  It  turns  out 
that  one  gets  a  model  of  the  exponential  types  in  the  category  of  finite¬ 
dimensional  vector  spaces  using  the  antisymmetrized  Fock  space. 

Proposition  11  If  V  is  a  finite- dimensional  vector  space  of  dimension 
n,  then  Ta(Y)  also  a  finite-dimensional  vector  space  with  dimension 
2n. 

Proof—  Consider  the  vector  space  0^  V  with  p  >  n.  We  claim  that  this 
space  is  the  zero  vector  space.  Since  ®  is  adjoint  to  internal  hom  in  V£C /<*, 
the  space  0^  V  is  isomorphic  to  the  space  of  completely  antisymmetric 
p-linear  maps  from  V  to  the  scalars.  Let  /  denote  such  a  map.  Since  V 
is  only  n-dimensional  one  cannot  have  p  linearly  independent  arguments 
to  such  maps.  Thus  one  of  the  arguments  must  be  a  linear  combination 
of  the  others.  Thus  on  any  arguments  /  becomes  a  combination  of  terms 
of  the  form  /(..., where  two  arguments  must  be  equal.  But 
antisymmetry  makes  such  a  term  zero.  Thus  /  is  the  zero  vector  and  the 
vector  space  0^  V  is  the  one-point  space.  Thus  the  infinite  direct  sum 
becomes  a  finite  direct  sum.  Now  consider  p  <  n.  It  is  clear  that  one 
can  only  choose  C”  sets  of  p  linearly  independent  vectors  given  a  basis. 
Thus  the  dimensionality  of  the  space  0^  V  is  C£  and  hence,  adding  the 
dimensions  to  get  the  dimension  of  the  direct  sum,  we  conclude  that  the 
dimension  of  Ta(Y)  is  2n.  | 

The  exponential  law  for  the  antisymmetric  case  can  be  argued  simi¬ 
larly.  The  detailed  verification  can  be  found  in  [BSZ92]  in  Section  3.2  on 
exponential  laws. 

4.2  Categories  of  algebras 

In  this  section  we  shall  review  some  basic  facts  about  categories  of  alge¬ 
bras,  and  see  in  particular  how  these  fit  into  the  current  context.  (See 
[M71]  for  a  review  of  the  basic  categorical  facts,  and  [L65]  for  the  basic 
algebra,  for  instance.)  For  reference,  we  do  give  the  following  definition 
here. 

3The  arguments  below  are  well-known  to  differential  geometers.  Prakash  Pananag- 
den  would  like  to  thank  Steve  Vickers  for  reminding  him  about  these  facts. 


Definition  14  A  triple  consists  of  a  functor  F :  B  — *•  B,  together  with 
natural  transformations  tj:  id  — ►  F  and  p:  FF  — *■  F,  such  that  por)F  = 
p  o  Ftj  =  id  and  p  o  pT  =  p  o  Tp. 

One  simple  point  to  recall  is  that  categories  of  algebras  and  of  coalge¬ 
bras  are  closely  connected  to  the  existence  of  triples  and  cotriples.  Given 
a  triple  F:  B  — *  B ,  (with  structure  morphisms  7?,  p),  an  F-algebra  is  an 
object  B  and  a  morphism  h:  F(B)  — *  B  (subject  to  two  commutativity 
conditions,  corresponding  to  the  associative  and  unit  laws).  (This  notion 
can  be  generalized  to  arbitrary  functors.)  There  is  a  canonical  category 
of  such  algebras,  the  Eilenberg- Moore  category  CF,  and  an  adjunction 
C  ^  CF .  Any  adjunction  canonically  induces  a  triple,  and  this  one 
canonically  induces  the  original  triple.  The  category  of  free  F-algebras  is 
the  Kleisli  category  Cf  of  the  triple;  again,  there  is  a  canonical  adjunc¬ 
tion  C  ^ICf  which  induces  the  original  triple.  Of  course  this  dualizes  for 
cotriples,  with  the  corresponding  notion  of  coalgebras.  (We  shall  avoid 
the  unpleasant  use  of  terms  like  “coEilenberg- Moore”  and  “coKleisli”.) 

Usually  mathematicians  have  been  more  interested  in  the  Eilenberg- 
Moore  category  of  a  triple  (or  cotriple)  than  in  the  Kleisli  category;  al¬ 
though  there  has  been  some  interest  in  Kleisli  categories  recently  (for 
instance  in  the  context  of  linear  logic,  as  mentioned  earlier  in  this  pa¬ 
per),  we  shall  follow  this  tradition  and  shall  work  in  Eilenberg- Moore 
categories.  Indeed,  it  is  there  that  we  shall  find  some  of  our  models. 
One  reason  for  this  is  quite  practical:  it  is  often  simpler  to  recognize 
the  category  of  algebras  and  so  derive  the  triple  (similarly,  once  one  has  a 
candidate  for  a  triple,  it  is  often  simpler  to  construct  the  category  of  alge¬ 
bras  and  verify  the  adjunction  than  to  directly  show  the  original  functor 
is  a  triple).  But  there  is  another  reason:  we  want  to  show  that  the  Fock 
space  functor  is  a  cotriple  (so  as  to  model  ! ),  but  on  the  categories  of 
spaces  we  consider,  this  is  not  the  case — rather  it  is  a  triple.  By  passing 
to  the  algebras,  we  can  fix  this,  because  of  the  following  fact: 

F 

Fact  Given  an  adjunction  C  ;  !  V,  F  ~\  U ,  the  composite  UF  is  a 

U 

triple  on  C ,  and  so  (dually)  the  composite  FU  is  a  cotriple  on  V. 

So  we  obtain  our  model  of  !  on  the  category  of  algebras. 


X 

■1 


4.2.1  Algebras  for  the  symmetric  (bosonic)  Fock  space  con* 
struct  ion 

We  begin  with  a  more  traditional  notion  of  algebra;  the  connection  be¬ 
tween  these  comes  via  the  triple  induced  by  the  adjunction  given  by  the 
free  algebra  construction,  as  outlined  above.  In  other  words,  the  category 
of  (traditional)  algebras  is  equivalent  to  the  category  of  UF  algebras. 

Definition  15  An  algebra  A  is  a  sjxice  A  equipped  with  morphisms 

m:  A®  A  — *•  A  and  i:  C  — *•  A 

satisfying 


A 


Here  we  are  supposing  the  base  field  to  be  C;  otherwise  replace  C  with 
the  base  field  k.  If  in  addition  the  following  diagram  commutes,  then  the 
algebra  A  is  said  to  be  symmetric  or  commutative,  (r  is  the  canonical 
“twist”  morphism.) 


An  example  of  such  an  algebra  comes  from  the  Fock  space  of  a  Banach 
space:  the  multiplication  m  is  defined  by  “multiplication  of  series”  in  an 
evident  manner.  The  use  of  the  symmetrized  tensor  in  the  definition  of 
Fock  space  guarantees  that  this  will  indeed  be  a  symmetric  algebra,  and 
it  is  standard  that  this  description  gives  the  free  such  algebra.  In  other 
words,  we  have  the  following  proposition. 

Proposition  12  Given  a  Banach  space  B,  the  Fock  space  T(B)  canoni¬ 
cally  carries  an  algebra  structure,  and  indeed  is  the  free  symmetric  algebra 
generated  by  B. 

It  follows  from  this  (or  rather  from  the  adjunction  B ANCON  ^ 
SACG)  that  we  have  a  cotriple  on  the  category  SACQ  of  symmetric 
algebras,  given  by  taking  the  Fock  algebra  on  the  underlying  space  of  an 
algebra.  As  the  details  of  this  are  both  standard  and  similar  to  the  case 
of  the  antisymmetric  Fock  space  construction,  which  we  shall  discuss  in 
more  detail  next,  we  shall  leave  the  details  here  to  the  reader. 

4.3  Algebras  for  the  antisymmetric  (fermionic)  Fock  space 
construction 

Recall  that  we  work  in  the  context  of  VCC/d  finite  dimensional  vector 
spaces  when  considering  the  antisymmetric  Fock  construction.  This  cat¬ 
egory  is  self-dual,  and  is  compact  with  biproducts:  the  product  and  co¬ 
product  coincide.  This  duality  also  implies  that  a  triple  is  also  a  cotriple, 
so  we  can  model  !  in  the  category  of  spaces.  However,  to  show  that  the 
Fock  space  construction  defines  a  triple  (or  cotriple),  it  is  again  simpler  to 
consider  the  category  of  algobras.  Although  we  are  not  familiar  with  any 
previous  consideration  of  this  category  of  algebras  as  such,  the  context 
is  familiar:  the  antisymmetric  Fock  space  construction  is  usually  called 
(when  thought  of  as  an  algebra)  the  Grassman  algebra,  or  the  “alter¬ 
nating”  or  “interior”  algebra;  the  multiplication  defined  on  it  is  called 
the  “wedge  product”  (a  term  derived  from  the  usual  notation  for  this 
product). 

Definition  10  An  alternating  algebra  A  is  a  graded  algebra  A  (with  unit) 
whose  multiplication  map  satisfies  the  property  that,  if  x,y  are  of  degree 
m,n  respectively,  then  xy  =  (-1  )nmyx  (which  by  the  grading  must  be  of 
degree  n  +  m). 

Note  that  the  unit  must  be  of  degree  0.  Morphisms  of  alternating  algebras 
are  just  homomorphisms  as  algebras. 
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Proposition  13  There  is  a  canonical  alternating  algebra  structure  on 
for  any  finite  dimensional  vector  space  V .  The  antisymmetric 

Fock  construction  is  left  adjoint  to  the  forgetful  functor  U:  VSC/d  * 

U 

AACQ,  where  AACQ  is  the  category  of  alternating  algebras.  Asa  conse¬ 
quence,  TA  defines  a  triple  (and  so  cotriple)  on  VSCjd- 

Proof-  (Sketch)  The  multiplication  on  TA(V)  is  the  standard  “wedge” 
product  [L65],  which  to  elements  Xi  ®A  ...QA  xn,V\  ®a  •  •  •  ®a  2/m  gives 
the  product  a?i  ©a  ...  ©a  xn  ©a  V\  ©a  •  •  -  ©a  ym-  Here  x  ®A  y  means 
the  equivalence  class  of  x  ®  y  in  A  A.  (Essentially  this  is  the  same 
“multiplication  of  power  series”  we  had  in  the  symmetric  case,  with  the 
alternating  product  used  in  place  of  the  usual  tensor.)  For  a  vector  space 
V ,  define  iy.  V  — ►  U!FA(V)  as  the  canonical  injection.  Given  an  alter¬ 
nating  algebra  A,  define  e:TA(UA)  — ►  A  by  “adding  the  terms  of  the 
series”:  (io,  *i,  x\  ©a  •■•)'-*  i(x o)  4-  x\  +  m(x\,  x^)  4-  •  •  •  ,  where  i,  m 
are  the  algebra  maps. 

To  verify  that  we  have  an  adjunction  we  must  show  the  following 
commute: 


FA(V)  rA(u?A{V)) 


U  A  — 22—  UFa(UA) 
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The  second  diagram  is  obvious;  to  verify  the  first,  notice  that  t/(x )) 
maps 

(xQ,Xl,x\®Ax\,...)  H-c  (x0, 

{0, 0,  x\,  0, . . .)  ®A  (o,  0,  x\,  0, . . .), 

> 

and  it  is  clear  that  “adding  up  this  series”  just  returns  the  original  term. 

a 

It  now  follows  that  we  can  model  !  in  VEC jd  with  Ta,  via  the  formula 

'•V  =  (Ta{Vx))l. 


5  The  Holomorphic-Function  Representation 
of  Fock  Space 

A  possible  reaction  to  the  results  of  the  last  section  is  that  the  Fock 
space  construction  works  purely  fortuitously,  in  the  sense  that  the  proper 
notions  of  tensor  products  and  infinite  direct-sums  happen  to  exist  and 
conspire  to  make  the  construction  of  internal  comonoids  possible.  In  the 
present  section  we  argue  that  in  fact  this  construction  is  linked  to  much 
deeper  mathematics.  The  symmetrized  Fock  space  on  a  Banach  space  B, 
turns  out  to  be  a  space  of  holomorphic  functions  (analytic  functions)  on 
B,  properly  defined.  This  hints  at  possible  deeper  connections  between 
analyticity  and  computability  which  need  to  be  explored. 

The  ideas  here  stem  from  early  work  by  Bargmann  [Ba61]  on  Hilbert 
spaces  of  analytic  functions  in  quantum  mechanics.  This  was  extended 
by  Segal  [S62,  BSZ92]  to  quantum  field  theory  and  Segal’s  extension  was 
used  by  Ashtekar  and  Magnon  [AM-A80]  to  develop  quantum  field  theory 
in  curved  spacetimes.  (A  brief  summary  of  the  ideas  is  contained  in  an 
appendix  to  [P80]  and  in  [P79].)  The  latter  work  involved  making  sense  of 
the  familiar  Cauchy- Riemann  conditions  on  infinite-dimensional  spaces. 

We  quickly  recapitulate  the  basic  notion  of  analytic  function  in  terms 
of  one  complex  variable  before  presenting  the  infinite-dimensional  case. 
A  very  good  elementary  reference  is  Complex  Analysis  by  Ahlfors  [Ah66]. 
Given  the  complex  plane,  C,  one  can  define  functions  from  C  to  C.  Let 
z  be  a  complex  variable;  we  can  think  of  it  as  x  +  iy  and  thus  one  can 
think  of  functions  from  C  to  C  as  functions  from  R2  to  R2.  An  analytic 


or  holomorphic  function  is  one  that  is  everywhere  differentiable.  In  the 
notion  of  differentiation,  the  limit  being  computed,  viz. 


lim 

h-~0 


f(x  +  h)  -  f{x) 


allows  h  to  be  an  arbitrary  complex  number  and  hence  this  limit  is  re¬ 
quired  to  exist  no  matter  in  what  direction  h  approaches  0.  This  much 
more  stringent  requirement  makes  complex  differentiability  much  stronger 
than  the  usual  notion  of  differentiability.  If  a  complex  function  is  differ¬ 
entiable  at  a  point  it  can  be  represented  by  a  convergent  power  series  in 
a  suitable  open  region  about  the  point.  If  one  uses  the  fact  that  h  can 
approach  zero  along  either  axis  one  can  derive  the  Cauchy- Riemann  equa¬ 
tions  for  a  complex  valued  function  /  =  u(x ,  y)  +  iv(x,  y)  of  the  complex 
variable  z  —  x  +  iy, 

du  _  dv  du  _  dv 

dx  dy  '  dy  dx' 


What  is  remarkable  about  complex  functions  is  that  this  definition 
of  analyticity  yields  the  result  that  a  complex-analytic  function  can  be 
expressed  by  a  convergent  power-series  in  a  region  of  the  complex  plane. 
This  is  remarkable  because  only  one  derivative  is  involved  in  the  Cauchy- 
Riemann  equations  whereas  the  statement  that  a  power-series  represen¬ 
tation  exists  is  stronger,  for  real-valued  functions,  even  than  requiring 
infinite  differentiability.  In  real  analysis  one  has  examples  of  functions 
that  are  infinitely  differentiable  at  a  point,  but  do  not  have  a  power  series 
representation  in  any  neighbourhood  of  that  point.  A  function  may  have 
a  power  series  representation  that  is  valid  everywhere,  a  so-called  entire 
holomorphic  function;  the  complex  exponential  function  is  an  example. 

There  is  a  formal  perspective,  due  to  Wierstrass,  that  is  rather  more 
illuminating.  Think  of  a  complex  variable  z  —  x  +  iy  and  its  conjugate 
~z  —  x  —  iy  as  being,  formally,  independent  variables.  A  function  could 
depend  on  z  and  on  its  complex  conjugate,  z,  for  example,  the  function 
that  maps  each  2tozI+  iz~z.  An  analytic  or  holomorphic  function  is  one 
which  has  no  dependance  on  z.  This  is  expressed  formally  by  df  /dz  =  0. 
When  expressed  in  terms  of  the  real  and  imaginary  parts  of  /  and  z,  this 
equation  becomes  the  familiar  Cauchy- Riemann  equations.  Thus  this 
reinforces  the  view  that  a  holomorphic  function  is  properly  thought  of  as 
a  single  complex-valued  function  of  a  single  variable  rather  than  as  two 
real-valued  functions  of  two  real  variables. 

The  theory  of  functions  of  finitely  many  complex  variables  is  a  non¬ 
trivial  extension  of  the  theory  of  functions  of  a  single  complex  variable. 
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Entirely  new  phenomena  occur,  which  have  no  analogues  in  the  theory  of 
a  single  complex  variable.  An  excellent  recent  text  is  the  three  volume 
treatise  by  Gunning  [Gu90].  For  our  purposes  we  need  only  the  barest 
beginnings  of  the  theory.  Given  Cn,  we  can  have  functions  from  Cn  to  C. 
One  can  introduce  complex  coordinates  on  Cn,  z\, . . . ,  zn.  One  can  define 
a  holomorphic  function  here  as  one  having  a  convergent  power-series  ex¬ 
pansion  in  zi,...,zn.  The  key  lemma  that  allows  one  to  mimic  some  of 
the  results  of  the  one-dimensional  case  is  Osgood’s  lemma4. 

Lemma  14  If  a  complex-valued  function  is  continuous  in  an  open  sub¬ 
set  D  of  Cn  and  is  holomorphic  in  each  variable  seperately,  then  it  is 
holomorphic  in  D. 

From  this  one  can  conclude  that  a  holomorphic  function  in  n  variables 
satisfies  the  Cauchy- Riemann  equations  §~  =  0.  One  is  free  to  take  either 
one  of  (a)  satisfying  Cauchy- Riemann  equations  or  (b)  having  convergent 
power-series  representations  as  the  definition  of  holomorphicity. 

Now  we  describe  how  to  define  holomorphic  functions  on  infinite¬ 
dimensional,  complex,  Banach  spaces.  The  basic  intuition  may  be  sum¬ 
marized  thus.  One  starts  with  subspaces  of  finite  codimension.  Thus  the 
quotient  spaces  are  isomorphic  to  some  C".  One  can  define  what  is  meant 
by  a  holomorphic  function  on  these  quotient  spaces  as  in  the  preceding 
paragraph.  By  composing  a  holomorphic  function  with  the  canonical 
surjection  from  the  original  Banach  space  to  the  quotient  space  we  get  a 
function  on  the  original  Banach  space.  These  functions  can  all  be  taken 
to  be  holomorphic. 


B 

5/~  =  Cn - ►  C 

Intuitively  these  are  the  functions  that  are  constant  along  all  but 
finitely  many  directions,  and  holomorphic  in  the  directions  along  which 
they  do  vary.  These  functions  are  called  cylindric  holomorphic  func¬ 
tions.  Because  the  sequence  of  coefficients  of  a  power-series  is  absolutely 
convergent,  we  can  define  an  l\  norm  on  these  functions  in  terms  of  the 
power-series.  Finally  the  collection  of  all  holomorphic  funcitons  is  defined 
by  taking  the  /j-norm  completion  of  the  cylindric  holomorphic  functions. 

4There  is  a  considerably  harder  theorem,  called  Hartog’s  theorem,  which  drops  the 
requirement  of  continuity. 


Given  a  Banach  space  B,  let  U  be  a  subspace  with  finite  codimension 
n,  i.e.  the  quotient  space  B/U  is  an  n  complex-dimensional  vector  space. 
The  space  BjU  is  isomorphic  to  Cn.  Let  </>  :  B/U  — ►  Cn  be  an  isomor¬ 
phism;  such  a  map  defines  a  choice  of  complex  coordinates  on  B/U .  Let 
jrt/  be  the  canonical  surjection  from  B  to  B/U . 

Definition  1  A  cylindric  holomorphic  function  on  B  is  a  function  of 
the  form  fo<f>oiru,  where  U,  i tjj  and  <f>  are  as  above  and  f  is  a  holomorphic 
function  from  Cn  to  C. 

We  need  to  argue  that  the  choice  of  coordinates  does  not  make  a  real 
difference.  Of  course  which  functions  get  called  holomorphic  does  depend 
on  the  choice  of  coordinates,  but  the  space  of  holomorphic  functions  has 
the  same  structure5.  Suppose  that  U  and  V  are  both  subspaces  of  B  and 
that  U  is  included  in  V.  Suppose  that  both  these  spaces  are  spaces  of 
finite  codimension,  say  n  and  m  respectively.  Clearly  n  >  m.  Now  we 
have  a  linear  map  iruv  :  B/U  — ►  B/V  given  by  x  +  U  (-*■  x  +  V;  clearly 
this  is  a  surjection.  Now  given  coordinate  functions  <p  '■  B/U  — ►  Cn 
and  i/>  :  B/V  — *■  Cm  we  can  define  a  function  o  :  Cn  — ►  C"1,  given  by 
■t/ionuv  o(f>~1,  which  makes  the  diagram  commute.  Thus  we  do  not  have 
to  impose  “coherence”  conditions  on  the  choice  of  coordinates,  we  can 
always  translate  back  and  forth  between  different  coordinate  systems. 

We  will  suppress  these  translation  functions  in  what  follows  and  as¬ 
sume  that  the  coordinates  have  been  serendipitously  chosen  to  make  the 
form  of  the  functions  simple.  In  other  words,  we  can  fix  a  family  of  sub¬ 
spaces  {Wn|n  G  N}  with  Wn  having  codimension  n  and  Wn+ \  C  Wn. 
The  coordinates  can  be  chosen  so  that  the  space  B/Wn  has  coordinates 

Zn . 

Suppose  that  /  is  a  cylindric  holomorphic  function  on  B.  This  means 
that  there  is  a  finite-codimensional  subspace  W ,  and  a  holomorphic  func¬ 
tion  fw,  from  W  to  C,  such  that  /  =  fw°^w-  The  function  fw  regarded 
as  a  function  of  n  complex  variables  has  a  power-series  representation 

•  •  •  ?  •*«)  =  ...Zf. 

and  furthermore  we  have  the  following  convergence  condition 

<  oo. 

5This  happens  even  in  the  one  dimensional  case.  The  function  Z  is  considered  anti- 
holomorphic  traditionally,  but  one  could  have  called  it  holomorphic  by  interchanging 
the  role  of  z  and  z. 


t 


►  499 

Thus  with  each  such  cylindric  holomorphic  function  we  can  define  the  sum 
of  the  absolute  values  of  the  coefficients  in  the  power-series  expansion  as 
the  norm  of  the  function.  Viewing  the  sequences  of  coefficients  as  the 
elements  of  a  complex  vector  space,  we  have  an  l\  norm.  We  write  |]  /  )| 
for  this  norm  of  a  cylindric  holomorphic  function. 

Definition  2  An  Zx-holomorphic  function  on  B  is  the  limit  of  a  se¬ 
quence  of  cylindric  holomorphic  function  in  the  above  norm. 

The  / 1  emphasizes  that  the  holomorphic  functions  are  obtained  by  a  par¬ 
ticular  norm  completion.  In  the  corresponding  theory  of  holomorphic 
functions  on  Hilbert  spaces,  one  uses  the  inner-product  to  define  polyno¬ 
mials  and  then  perform  a  completion  in  the  Z2  norm.  A  key  difference 
is  that  our  norm  is  defined  on  the  sequence  of  coefficients  whereas  in  the 
Hilbert  space  case,  one  uses  the  Li  norm  which  is  defined  in  terms  of 
integration. 

In  the  resulting  Banach  space  there  are  several  formal  entities  that 
were  adjoined  as  part  of  the  norm-completion  process.  We  need  to  discuss 
in  what  sense  these  formally-defined  entities  can  be  regarded  as  bona-fide 
functions.  Let  W\, . . .,  Wr, . . .  be  an  infinite  sequence  of  subspaces  of 
.  B ,  each  embedded  in  the  previous.  Assume,  in  addition,  that  ail  these 

spaces  have  finite  codimension.  Now  assume  that  there  is  a  sequence  of 
cylindric  holomorphic  functions,  fn,  on  B  obtained  from  a  holomorphic 
:  function,  /(")  on  each  of  the  quotient  spaces  B/Wi.  Finally,  assume  that 

the  sequence  ||  /„  ||  of  (real)  numbers  is  convergent.  Such  a  sequence 
of  c)  indric  holomorphic  functions  defines  a  holomorphic  function  on  B. 
We  call  this  function  /.  We  need  to  exhibit  /  as  a  map  from  B  to  C. 

'  Accordingly,  let  i  be  a  point  of  B.  For  each  of  the  functions  fn  we 

have  |/„(x)|  <  ||  /„  ||.  Since  the  sequence  of  norms  converges  we  have 
the  sequence  fn(x )  converges  absolutely  and  hence  converges.  Thus  the 
function  /  qua  function  is  given  at  each  x  of  B  bv  lim^,^  fn { x ) .  However, 
i  in  order  to  use  the  word  “function”  we  need  to  show  that  the  power-series 

has  a  domain  of  convergence.  Unfortunately,  it  may  not  have  a  non-trivial 
domain  of  convergence  but,  in  a  sense  to  be  made  precise,  it  comes  close 
to  having  a  non-trivial  domain  of  convergence. 

The  power-series  representation  of  the  function  /  is  given  as  follows. 
It  depends,  in  general,  on  infinitely  many  variables  but  each  term  in  the 
power  series  will  be  a  monomial  in  finitely  many  variables.  Consider 
the  coefficient  of  zJt'  •  ••zj*  in  the  expansion  of  /.  In  all  but  finitely 
many  of  the  /„  all  the  indicated  variables  will  appear  in  their  power- 
series  expansions.  Consider  the  coefficients  of  this  term  in  each  power 
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series;  this  forms  a  sequence  of  complex  numbers  an  where  an  is  0  if 
there  is  no  such  term  in  the  expansion  of  /„.  Since  |an|  <  |j  /„  ||  the 
sequence  an  converges  absolutely  and  hence  converges  to,  say,  a.  This  is 
the  coefficient  of  2/'  . . .  2/*  in  the  power-series  expansion  of  /. 

Consider  the  coordinates  21,..., zn.  This  defines  an  n-dimensional 
subspace  of  the  Banach  space,  which  we  call  Un.  Now  consider  the  power- 
series  for  /.  It  defines  a  family  of  holomorphic  functions  /”  where  fn 
is  defined  on  the  subspace  Un  and  is  obtained  by  retaining  only  those 
terms  in  the  power-series  expansion  of  /  which  involve  variables  among 
2i,...,2„.  These  are  analytic  functions  on  the  Un  and,  as  such,  have 
non-trivial  domains  of  convergence.  However,  as  n  increases  the  radii  of 
convergence  could  tend  to  0.  So  we  have  the  slightly  weaker  statement 
than  the  usual  finite-dimensional  notion;  instead  of  having  a  non-zero 
radius  of  convergence  in  the  Banach  space  we  have  a  non-zero  radius 
of  convergence  on  every  finite-dimensional  subspace.  If  one  uses  entire 
functions,  rather  than  analytic  functions,  at  the  starting  point  of  the 
construction,  then  one  can  show  that  the  resulting  functions  are  entire; 
see  page  67,  theorem  1.13,  of  the  book  by  Baez,  Segal  and  Zhou  [BSZ92]. 
Unfortunately  when  using  the  representation  of  elements  of  Fock  space 
one  may  carry  out  simple  operations  that  do  not  produce  entire  functions 
so  we  cannot  just  choose  to  work  with  entire  functions.  Nevertheless, 
many  common  functions,  most  notably  the  exponential,  are  entire. 

Given  a  bona  fide  holomorphic  function  one  can  express  it  as  a  power 
series.  The  coefficients  are  calculated  in  the  usual  way,  viz.  by  using 
Taylor’s  theorem 
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Since  the  mixed  partial  derivatives  commute  (the  functions  are  holomor¬ 
phic  and  hence  certainly  differentiable  enough)  the  partial  derivatives 
are,  concretely  speaking,  symmetric  arrays.  Abstractly  speaking  this  just 
means  that  they  are  elements  of  the  symmetrized  tensor  product. 

We  can  write  this  as  follows. 


Theorem  15  A  holomorphic  function  can  be  represented  by  its  power- 
series  expansion  where  the  n^1  term  in  the  power-series  expansion  is  a 
symmetrized  n^1  derivative: 


f  =  Z(l/k\)D^f 

where  the  notation  f  means  symmetrized  derivative  of  f . 


501 


The  symmetrized  derivatives  live  in  the  symmetrized  tensor  products 
of  B  with  itself.  One  thus  has  a  correspondence  with  the  standard  Fock 
representation  and  the  notion  of  holomorphic  function  since  in  each  case 
one  has  a  string  of  symmetrized  vectors. 

5.1  A  Digression  on  Complex  Structures 

This  section  can  be  skipped  on  a  first  reading6;  however,  the  reader  who 
feels  queasy  about  all  the  explicit  coordinate  dependence  in  the  definitions 
so  far  may  find  this  section  comforting.  There  is  no  need  to  start  with 
complex  vector  spaces.  One  could  have  used  real  vector  spaces  from  the 
outset.  In  order  to  sketch  this  briefly  we  begin  with  the  notion  of  a 
complex  structure  on  a  vector  space. 

Definition  17  Let  V  be  a  real  vector  space.  A  complex  structure  is  a 
linear  operator  J  :  V  —*  V  such  that  J2  =  —I . 

An  example  of  a  complex  structure  on  R2  is 

(•■;) 

It  is  immediate  that  V  must  be  even-dimensional  or  infinite-dimensional 
if  a  complex  structure  exists  on  it.  A  given  vector  space  may  have  several 
different  complex  structures  defined  on  it. 

One  can  go  back  and  forth  between  real  vector  spaces  equipped  with 
complex  structures  and  complex  vector  spaces  in  the  following  way.  Sup¬ 
pose  that  ( V ,  J )  is  a  real  vector  space  equipped  with  a  complex  struc¬ 
ture.  Now  we  can  formally  define  the  “complexification”  of  V  as  a  vector 
space  Vq  =  V'  0  V"  where  V'  and  V"  are  copies  of  V  and  multiplication 
by  complex  numbers  is  given  by  (x  +  iy)  *  ( a,b )  =  (xa  -  by,xb+  ay). 
Now  we  can  define  a  linear  operator  P  on  Vq  by  the  formula  P(a,b)  = 
(1/2 )(a  +  Jb,b  —  Ja ).  It  is  easy  to  verify  that  P  defines  a  projection  op¬ 
erator  on  Vq.  It  defines  a  subspace  of  Vq,  which  is,  as  a  real  vector  space, 
isomorphic  to  V.  Similarly,  given  a  complex  vector  space  W  we  can  con¬ 
struct  a  real  vector  space  which  is  isomorphic  to  W,  as  a  real  vector  space, 
and  equip  it  with  a  complex  structure  which  will  give  us  back  W  when  we 
apply  the  construction  above  to  it.  We  first  form  the  direct  sum  W  ©  W. 
Now  we  define  a  complex  structure  on  this  space  by  J(a ,  b)  =  '  i,  —  ib).  It 
is  easy  to  check  the  claims  made.  The  upshot  is  that  one  can  talk  about 

®and  every  subsequent  reading  as  well. 
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real  vector  spaces  equipped  with  complex  structures  or  about  complex 
vector  spaces  interchangably. 

The  final  piece  of  mathematics  that  we  need  is  the  Lie  derivative  from 
classical  differential  geometry.  Developing  the  definitions  from  scratch 
would  involve  a  long  digression.  Fortunately  the  ideas  are  simple  so  we 
will  give  an  intuitive  account.  In  what  follows  the  word  “smooth”  is 
meant  to  signify  infinitely  differentiable.  Consider  a  smooth  manifold; 
a  curved  surface  is  an  excellent  model  to  keep  in  mind.  Suppose  that 
one  has  a  smooth  vector  field  on  this  manifold;  that  is  to  say  a  smooth 
assignment  of  a  vector  at  every  point  on  the  manifold.  Classical  results 
from  differential  equations  say  that  there  is  a  family  of  nonintersecting 
curves  that  fill  the  manifold  and  such  that  the  curves  are  everywhere 
tangent  to  the  given  vector  field.  Now  these  curves  are  all  parametrized 
by  a  real  parameter  say  t.  If  we  fix  a  value  for  /,  we  can  define  a  smooth 
bijective  map  rpt  of  the  manifold  to  itself  (a  so-called  “diffeomorphism” ) 
which  is  defined  by  moving  each  point  t  units  along  the  unique  curve 
passing  through  it.  We  can  make  the  map  act  on  functions  defined  on 
V  as  follows:  =  f  oipt,  for  /  a  complex- valued  function  defined  on 

V.  We  can  now  define  the  Lie  derivative  of  f  along  the  vector  field  u  at 
the  point  p  as  the  limit 


£vf  =  lim 
t— o 


VtU)(p) -  f(p) 


This  gives  another  function  from  V  to  the  complex  numbers.  Intuitively 
we  imagine  that  the  given  vector  field,  u,  defines  a  flowing  fluid.  The 
vector  at  each  point  defines  the  velocity  of  the  fluid  locally  and  the  stream¬ 
lines  of  the  fluid  give  the  family  of  curves  mentioned  above.  The  Lie 
derivative  measures  changes  that  an  observer  flowing  with  the  fluid  would 
see. 

For  us  the  Lie  derivative  tells  us  how  to  define  changes  seen  “when 
travelling  along  the  direction  defined  by  a.  vector  field”.  Now  recall  what  is 
meant  by  an  analytic  function  in  ordinary  complex  analysis.  A  complex- 
valued  function  of  two  real  variables,  x  and  y,  is  analytic  if  it  depends 
only  on  the  complex  variable  z  =  x  +  iy  and  not  on  the  conjugate  variable 
z  =  x  —  iy.  The  Cauchy- Riemann  equations  say  this  precisely.  The  Lie 
derivative  is  what  we  need  in  order  to  do  this  in  the  infinite-dimensional 
case. 


Definition  18  Let  B  be  a  Banach  space  over  the  complex  numbers.  Now 
let  J  be  a  complex  structure  on  this  space.  We  call  a  vector  v  holomor- 
phic  if  Jv  =  iv  and  anti-holomorphic  if  Jv  =  —iv.  If  we  have  a 
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real  vector  space  V ,  equipped  with  a  complex  structure,  we  can  define  a 
holomorphic  or  an  anti-holomorphic  vector  in  the  same  way. 

A  holomorphic  vector  plays  roughly  the  role  of  a  complex  variable  while 
an  anti-holomorphic  vector  plays  the  role  of  a  complex-conjugate  vari¬ 
able.  Now  we  can  state  the  infinite- dimensional  analogue  of  the  Cauchy- 
Riemann  conditions. 

Definition  19  A  function  f  :  V  — *  C  is  holomorphic  if  ( i )  it  is  dif¬ 
ferentiable  and  (ii)  for  every  anti-holomorphic  vector  field  v  we  have 
£vf  =  0.  An  equivalent  condition  is  £jvf  =  i£vf  for  holomorphic  vector 
fields  v. 

It  is  easy  to  check  that  the  latter  form  of  the  second  condition  gives  the 
usual  Cauchy- Riemann  equations  in  the  one-dimensional  case  by  choosing 
the  vector  fields  appropriately. 

6  The  Physical  Origin  of  Fock  Space 

The  Fock  space  constructions  described  in  the  previous  sections  were  in¬ 
dependently  invented  by  physicists  and  mathematicians.  The  symmetric 
Fock  space  (called  the  bosonic  Pock  space  by  physicists)  is  well  known 
to  mathematicians  as  the  symmetric  tensor  algebra  whereas  the  antisym¬ 
metric  Fock  space  (fermionic  Fock  space)  was  invented  by  Grassman,  at 
least  in  the  finite-dimensional  case,  under  the  name  of  exterior  algebra  or 
alternating  algebra.  In  this  section  we  describe  the  role  of  Fock  space  in 
quantum  field  theory.  In  order  to  prevent  intolerable  regress  in  definitions 
we  assume  that  the  reader  has  an  at  least  intuitive  grasp  of  differential 
equations,  the  definition  of  a  smooth  manifold  and  associated  concepts 
like  that  of  a  smooth  vector  field7 

We  begin  with  a  brief  discussion  of  quantum  mechanics  and  classical 
mechanics.  In  classical  mechanics  one  has  systems  which  vary  in  time. 
The  role  of  theory  is  to  describe  the  temporal  evolution  of  systems.  Such 
temporal  evolution  is  governed  by  a  differential  equation.  The  fact  that 
one  uses  differential  equations  says  something  fundamental  about  the  lo¬ 
cal  nature  of  the  dynamics  of  physical  systems,  at  least  according  to  con¬ 
ventional  classical  mechanics.  In  dealing  with  differential  equations  one 
has  to  distinguish  between  quantities  that  are  determined  and  quantities 
that  may  be  freely  specified:  the  so  called  “initial  conditions”.  Exper¬ 
iment  tells  one  that  systems  are  described  by  second-order  differential 

7Remarks  requiring  a  more  sophisticated  vocabulary  will  appear  as  footnotes. 
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equations  and  hence  that  the  functions  being  described  and  their  first 
derivatives,  at  a  given  point  of  time,  are  part  of  the  initial  conditions. 
The  space  of  all  possible  initial  conditions  is  called  the  space  of  possible 
states  or  “phase”  space,  and  is  the  kinematical  arena  on  which  dynamical 
evolution  occurs8.  A  fundamental  mathematical  assumption  is  that  the 
phase  space  is  a  2n  dimensional  smooth  manifold9.  The  points  of  phase 
space  are  called  states.  If  the  system  is  a  collection  of,  say  7,  particles,  the 
states  will  correspond  to  the  42  numbers  required  to  specify  the  positions 
and  the  velocities  of  each  of  the  particles  in  three-dimensional  space. 

Through  each  point  in  phase  space  is  a  vector  giving  rise  to  a  smooth 
vector  field  called  the  Hamiltonian  vector  field.  One  can  draw  a  family  of 
curves  such  that  at  every  point  there  is  exactly  one  curve  passing  through 
that  point  and  the  Hamiltonian  is  tangent  to  the  curve  at  that  point. 
Roughly  speaking,  the  vector  field  defines  a  differential  equation  and  the 
curves  represent  the  family  of  solutions  where  each  point  represents  a 
possible  specification  of  initial  conditions.  An  observable  is  a  physical 
quantity  that  is  determined  by  the  state.  As  such  it  corresponds  to  a 
real- valued  function  on  phase  space.  A  typical  example  is  the  total  energy 
of  a  system.  Most  of  experimental  mechanics  is  aimed  at  determining  the 
Hamiltonian.  In  the  formal  development  of  analytical  mechanics  there  is 
a  special  antisymmetric  2-form  called  the  symplectic  form  which  plays  a 
fundamental  mathematical  role  but  is  hard  to  describe  in  an  intuitive  or 
purely  physical  way. 

In  quantum  mechanics,  the  above  picture  changes  in  the  following 
fundamental  ways.  The  observables  become  the  fundamental  physical 
entities.  These  are  defined  to  form  a  particular  subalgebra  of  an  alge¬ 
braic  structure  called  a  C*-algebra.  The  key  point  is  that  this  algebra 
is  not  commutative,  unlike  the  algebra  of  smooth  functions  on  a  mani¬ 
fold.  Furthermore,  the  failure  of  commutativity  is  directly  linked  to  the 
symplectic  form;  this  was  Dirac’s  contribution  to  the  theory  of  quan¬ 
tum  mechanics.  Thus,  structures  available  at  the  classical  level  provide 
guidance  as  to  what  the  “correct”  C*-algebra  should  be. 

There  is  a  representation  of  this  algebra  as  the  algebra  of  operators  on 
a  Hilbert  space.  The  space  of  states  acquires  the  structure  of  a  Hilbert 
space  and  becomes  the  carrier  of  the  representation  of  the  C*-algebra. 
One  presentation  of  this  abstract  Hilbert  space  is  as  the  space  of  square- 

®Sometimes  one  has  a  more  complicated  situation  in  which  the  phase  space  is  con¬ 
strained  in  such  a  way  that  it  cannot  be  simply  defined  as  a  manifold.  These  are  called 
non-holonomic  constraints  and  correspond  to  such  familiar  situations  as  skating  and 

rolling. 

*  Actually  it  has  the  structure  of  the  cotangent  bundle  of  a  smooth  n-manifold. 
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integrable  complex-valued  functions  on  a  suitable  underlying  space;  for 
example  the  space  of  possible  configurations  of  a  system.  The  space  of 
states  has  acquired  linear  structure;  this  means  that  one  can  add  states 
reflecting  the  intuition  that  in  quantum  mechanics  a  system  can  be  in 
the  superposition  of  two  (or  more)  states.  The  inner  product  measures 
the  extent  to  which  two  states  resemble  each  other.  Finally  the  fact  that 
one  has  complex  functions  is  strongly  suggested  by  the  observation  of 
interference  phenomena  in  nature. 

An  observable  is  a  self-adjoint  operator.  The  link  between  the  math¬ 
ematics  and  experiment  is  the  following.  If  one  attempts  to  measure  the 
observable  O  for  a  system  in  state  xp  one  will  obtain  an  eigenvalue  of  O. 
Self-adjoint  operators  have  real  eigenvalues  so  we  will  get  a  real- valued  re¬ 
sult.  If  xp  is  an  eigenvector  with  eigenvalue  a,  then,  with  no  indeterminacy 
or  uncertainty,  one  will  obtain  the  value  a.  If  xp  is  not  an  eigenvector, 
one  can  express  xp  as  a  linear  combination  of  eigenvectors  in  the  form 
xp  =  HaiXpi  where  the  xpi  are  assumed  to  be  eigenvectors  with  eigenvalues 
The  result  of  measuring  0  will  be  a,  with  probability  |a,j2.  It  is 
important  to  keep  in  mind  that  the  absolute  squares  of  the  a,  correspond 
to  probabilities  but  it  is  the  a,  themselves  that  enter  into  the  linear  com¬ 
binations  of  states.  This  interplay  between  the  complex  coefficients  and 
the  interpretation  of  their  squares  as  probabilities  is  what  distinguishes 
the  probabilistic  aspects  of  quantum  mechanics  from  statistical  mechanics 
which  also  has  a  probabilistic  aspect  but  where  one  directly  manipulates 
probabilities. 

The  dynamics  of  systems  is  described  by  a  first-order  differential  equa¬ 
tion  called  Schroedinger’s  equation.  Thus,  the  evolution  of  states  in  quan¬ 
tum  mechanics  is  determinate,  just  as  in  classical  mechanics.  The  inde¬ 
terminacy  usually  associated  with  quantum  mechanics  appears  in  the  fact 
that  the  state  of  a  system  may  not  be  an  eigenstate  of  the  observable  being 
measured  so  the  outcome  of  the  measurement  may  be  indeterminate. 

Quantum  mechanics  is  designed  to  handle  systems  in  which  the  num¬ 
ber  of  interacting  entities  (usually  called  “particles”)  is  fixed.  On  the 
other  hand,  experiment  tells  us  that  at  sufficiently  high  energies  parti¬ 
cles  may  be  created  or  destroyed.  Quantum  field  theory  was  invented  to 
account  for  such  processes.  The  original  formulations  of  this  theory  due 
to  Dirac,  Heisenberg,  Fock,  Jordan,  Pauli,  Wigner  and  many  others  was 
quite  heuristic.  Now  a  reasonably  rigourous  theory  is  available;  see  the 
book  by  Baez,  Segal  and  Zhou  [BSZ92]  for  a  recent  exposition  of  quantum 
field  theory. 

The  first  need  in  a  many-particle  theory  is  a  space  of  states  which  can 


describe  variable  numbers  of  particles;  this  is  what  Fock  space  is  [Ge85]. 
The  second  ingredient  is  the  availability  of  operators  that  can  describe 
the  creation  and  annihilation  of  particles.  Of  course,  there  is  much  more 
that  needs  to  be  said  in  order  to  see  how  all  this  formalism  translates  into 
calculations  of  realistic  physical  processes  but  that  would  require  a  very 
thick  book  which,  in  any  case,  has  been  written  many  times  over. 

Given  a  Hilbert  space  H  in  quantum  mechanics  representing  the  states 
of  a  single  particle  one  can  construct  a  many-particle  Hilbert  space  as 
T{H).  Suppose  that  rp,<j>  €  H\  one  interprets  the  element  tp  <f>  of 
H  0j  H  as  a  two-particle  state  with  one  particle  in  the  state  rp  and  the 
other  in  the  state  <p.  Similarly  for  the  other  summands  of  T(H).  The 
reason  for  the  symmetrization  is  that  one  is  dealing  with  indistinguishable 
particles  so  that  the  n-particle  states  have  to  carry  representations  of 
the  permutation  group.  Thus  one  could  have  particle  states  that  were 
symmetric  or  antisymmetric  under  interchange  leading  to  the  bosonic  or 
fermionic  Fock  spaces  respectively.  It  is  a  remarkable  fact  that  both  types 
of  particles  are  observed  in  nature.  Notice  that  ip  A  ip  is  identically  zero 
hence  one  cannot  have  many-particle  states  in  the  antisymmetric  Fock 
space  in  which  both  particles  are  in  the  same  one-particle  state.  This 
is  observed  in  nature  as  the  exclusion  principle.  Fock  space  is  the  space 
of  states  for  quantum  field  theory  and  is  constructed  from  the  space  of 
states  for  quantum  mechanics. 

The  following  interesting  operators  are  defined  on  Fock  space.  Let 
ip  =  (ipo,  ip\,  ip?, . . . ,  rpn,  •  •  •)  be  an  element  of  ^F(H).  Now  let  a  be  an 
element  of  H.  We  define  the  operator  C(o)  by 

C(a)ip  =  (0,  ip0 <7,  y/2ipi®s<r,...,  y/n  +  1  ipn  <x, . . .) 

This  operator  creates  a  particle  in  the  state  a.  There  is  an  analogous 
operator  A(a)  which  destroys  a  particle  in  state  a.  These  two  operators 
are  adjoint  to  each  other.  The  fundamental  algebraic  relation  between 
them  is  A{o)C(o)  —  C{<j)A(o)  =  I  where  I  is  the  identity  operator.  From 
these  two  we  can  define  the  operator  N(cr)  =  C(cr)A((r).  Let  vn  be  a  state 
with  »  particles  in  the  state  a  and  with  no  other  particles.  For  the  rest 
of  the  paragraph  we  drop  explicit  mention  of  a.  Now  A  vn  =  y/n  vn_i 
and  C  vn  =  y/n  +  1  vn+i,  hence  we  have  N  vn  =  nvn.  Thus  vn  is  an 
eigenstate  of  N  with  eigenvalue  n;  for  this  reason  N  is  called  the  number 
operator.  Now  we  also  have  N A  vn  =  (AC  -  I) A  vn  =  A(CA  —  I)vn  = 
A(N  —  I)vn  =  (n  —  1)A  vn.  In  other  words,  A  vn  is  also  an  eigenstate  of  N 
with  eigenvalue  (n  —  1).  This  justifies  the  name  “annihilation”  operator. 
A  similar  calculation  can  be  done  for  the  creation  operator.  If  we  are 


successful  in  developing  a  theory  of  reduction  of  proof  nets  in  terms  of 
operator  algebras,  in  the  sense  of  Girard’s  geometry  of  interaction,  we  will 
have  the  A  and  C  operators  available.  We  hope  that  these  can  be  used  to 
give  a  quantitative  handle  on  resource  consumption  during  computation. 

The  presentation  of  Fock  space  above  emphasized  the  concept  of 
many-partide  states.  Mathematically,  however,  T(H)  is  just  a  Hilbert 
space  and  can  be  presented  differently.  As  we  have  shown  in  the  last 
section,  it  can  be  presented  as  the  space  of  holomorphic  functions  of  a 
Hilbert  space  (the  details  are  somewhat  different  from  the  Banach  space 
case  but  the  ideas  are  essentially  the  same).  The  space  of  holomorphic 
functions  has  as  its  inner  product 

{gj)  =  ~j  f{z)9(l)e'^dzdz. 

(See  [IZ80]  page  435,  for  example.)  What  do  the  creation  and  annihilation 
operators  look  like  from  this  perspective?  For  simplicity,  let  us  look  at 
power  series  in  a  single  variable  z.  This  amounts  to  only  looking  at  the 
many-particle  states  of  the  form  a  tensored  with  itself.  The  creation 
operator  is  just  z *  (.)  while  the  annihilation  operator  is  just  d{.)/dz.  One 
can  easily  check  that  (AC  -  CA)f  =  d(z  *  f)/dz  -  z  *  df /dz  —  /;  in 
other  words  the  basic  algebraic  relation  holds.  Furthermore  one  can  ask 
what  the  eigenstates  of  A  and  C  look  like.  Clearly  the  eigenstate  of  C 
is  just  the  zero  vector.  The  eigenstate  of  A  is  the  state  represented  by 
the  holomorphic  function  ez .  These  states  actually  exist  in  nature  and 
are  called  “coherent”  states;  they  occur,  for  example,  in  lasers.  The  key 
point  about  coherent  states  is  that  they  “look  classical” ;  one  can  remove 
a  particle  without  changing  the  state.  As  such  they  bear  a  superficial 
resemblance  to  the  role  of  !  formulas  in  linear  logic. 

7  Conclusion 

To  summarize  the  results  we  have  claimed  in  this  paper,  we  have  pro¬ 
duced  models  of  the  following  fragments  of  linear  logic.  First,  in  finite- 
dimensional  vector  spaces  we  have  a  complete  model  of  classical  linear 
logic,  albeit  with  a  compact  category,  so  that  the  tensor  and  par  are 
identified,  as  are  !  and  ? .  In  the  category  of  symmetric  Banach  alge¬ 
bras  we  have  a  model  of  the  0,  x ,  ©,  !  fragment.  This  category  cannot 
be  endowed  with  closed  structure,  since  Hom(X,Y)  =  Hom(  I  ®X,Y)  = 
Hom(  I ,  X  -o  y);  in  this  category  the  unit  I  for  0  is  also  the  initial  object 
so  the  last  horn  set  would  have  to  be  a  singleton,  clearly  not  the  case  for 
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arbitrary  X,  Y.  The  closely  related  BAN COM  has  several  very  pleasant 
features  as  a  model  of  the  multiplicative  and  additive  fragment  of  linear 
logic — it  is  a  rare  example  of  a  category  of  linear  spaces  which  is  neither 
additive  nor  compact — but  unfortunately  it  is  not  possible  to  extend  this 
to  a  model  of  !  on  the  algebra  category  as  we  did  with  BANACH  as 
the  exponential  isomorphism  fails  there.  In  H1CBEH.T  we  get  results 
analagous  to  those  with  BANACH ,  modelling  the  ®,  x,  ®,  !  fragment  in 
the  category  of  algebras.  In  addition  to  producing  these  models,  we  have 
described  a  mathematical  representation  for  !  using  holomorphic  func¬ 
tions  which  suggests  that  one  might  profitably  think  of  computability  in 
terms  of  analyticity  rather  than  continuity.  Furthermore  the  mathemat¬ 
ical  structures  described  in  this  paper  arise  from  quantum  field  theory 
and  are  suggestive  of  links  with  that  subject. 

It  is  crucial  that  one  appreciate  the  differences  between  our  work  and 
that  of  Girard  in  [G89].  He  has  also  used  Banach  algebras  but  all  proofs 
are  represented  in  a  single  Banach  algebra,  whereas  we  model  formulas 
as  individual  algebras,  with  proofs  as  algebra  homomorphisms.  That  is 
to  say,  we  work  in  the  category  of  Banach  algebras,  rather  than  inside  a 
particular  algebra.  His  major  achievement  is  modelling  cut  elimination 
in  terms  of  operator  algebras.  We  on  the  other  hand  model  provability 
in  the  appropriate  fragment  of  linear  logic. 

Our  next  goal  is  to  model  the  proof  theory  of  linear  logic  in  the  spirit 
of  Geometry  of  Interaction.  Rather  than  following  Girard,  we  will  be 
guided  by  the  following  intuitions  which  are  suggested  by  the  physical 
interpretation  of  Fock  space.  We  think  of  formulas  as  representing  states, 
that  is  to  say  elements  of  a  Fock  space;  a  proof  represents  the  process  of 
interaction  between  particles  in  the  initial  state  resulting  in  the  particles 
observed  in  the  final  state.  Mathematically  the  process  is  described  by  a 
combination  of  creation  and  annihilation  operators.  Proof  normalization 
transforms  processes  into  “observably  equivalent”  processes.  In  partic¬ 
ular,  we  hope  that  our  version  of  such  a  theory  will  permit  a  sharper 
analysis  <jf  complexity  of  computations. 
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Abstract.  There  is  a  standard  syntax  for  Girard’s  linear  logic,  due  to 
Abramsky,  and  a  standard  semantics,  due  to  Seely.  Alas,  the  former  is 
incoherent  with  the  latter:  different  derivations  of  the  same  syntax  may 
be  assigned  different  semantics.  This  paper  reviews  the  standard  syntax 
and  semantics,  and  discusses  the  problem  that  arises  and  a  standard 
approach  to  its  solution.  A  new  solution  is  proposed,  based  on  ideas 
taken  from  Girard’s  Logic  of  Unity.  The  new  syntax  is  based  on  pattern 
matching,  allowing  for  concise  expression  of  programs. 


1  Introduction 

Somewhere  inside  linear  logic,  there  is  a  programming  language  struggling  to 
get  cut.  We  wish  to  define  an  analogue  of  lambda  calculus  to  solve  the  following 
equation 

lambda  calculus  ? 

intuitionistic  logic  linear  logic 
What  does  this  language  look  like? 

One  would  think  the  answer  should  be  straightforward  by  now.  There  is  the 
linear  logic  of  Girard  [Gir87],  there  is  the  syntax  of  Abramsky  [Abr90],  and  there 
is  the  semantics  of  Seely  [See89].  Each  of  these  has  become  a  standard. 

Abramsky  was  inspired  by  the  earlier  work  of  Lafont  [Laf88]  and  Holmstrom 
[H0I88],  and  in  turn  inspired  related  systems  by  Chirimar,  Gunter,  and  Riecke 
[CGR92],  Lincoln  and  Mitchell  [LM92],  Mackie  [Mac91],  Troelstra  [Tro92],  and 
Wadler  [Wad90,  Wad91]. 

Seely  provided  a  categorical  model,  that  subsumes  other  models  such  as 
coherence  spaces  [Gir87],  event  spaces  [Pra911,  games  [LS911,  and  the  Geometry 
of  Interaction  [AJ92], 

Unfortunately,  Abramsky’s  syntax  is  incoherent  with  Seely’s  semantics:  dif¬ 
ferent  derivations  of  the  same  term  may  yield  different  semantics.  The  basic 
problem  is  that  Promotion  does  not  commute  with  substitution.  All  of  the  above 
syntaxes  suffer  from  a  similar  problem  in  one  form  or  another,  meaning  that  it  is 
difficult  to  assign  them  a  meaning  in  any  of  the  above  models.  (While  the  above 
rightly  credits  Abramsky’s  influence,  it  would  be  wrong  to  burden  him  with  too 
much  blame.  His  syntax  is  coherent  with  the  operational  model  he  uses.) 

This  difficulty  was  spotted  previously  by  myself  [Wad92] .  Other  researchers 
have  not  only  observed  the  problem,  but  also  proposed  a  solution  in  the  form  of 
a  syntax  that  ‘boxes’  the  Promotion  rule,  in  much  the  same  way  that  boxes  are 
used  in  proof  nets.  Notable  in  this  regard  is  the  work  of  Benton,  Bierman,  de 
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Paiva,  and  Hyland  [BBdPH92],  which  provides  a  thorough  introduction  to  nat¬ 
ural  deduction  and  sequent  versions  of  linear  logic,  their  categorical  semantics, 
and  the  associated  proof  theory. 

This  paper  presents  a  new  syntax  for  linear  logic  that  resolves  the  Promotion 
problem.  The  new  syntax  follows  naturally  from  the  idea  of  using  patterns  in 
sequents  to  represent  destructors.  It  is  closely  related  to  Girard’s  Logic  of  Unity, 
LU  (though  without  the  polarities)  [Gir91].  Indeed,  the  syntax  presented  here 
is  based  on  a  suggestion  from  Jean- Yves  Girard,  who  pointed  out  to  me  that 
the  problems  I  had  noted  with  the  standard  syntax  are  resolved  in  the  syntax  of 
LU.  The  syntax  also  bears  a  passing  resemblance  to  Moggi’s  calculus  for  monads 
[Mog89]. 

The  syntax  has  been  expressed  in  a  way  such  that  Dereliction  and  Promotion 
are  made  explicit,  but  Contraction  and  Weakening  are  left  implicit.  Even  though 
linear  logic  is  a  ‘resource  conscious’  logic,  it  seems  adequate  to  be  conscious  of 
Dereliction  and  Promotion  alone.  The  semantics  introduces  sufficient  coherence 
properties  so  that  the  precise  order  in  which  Contraction  and  Weakening  is 
applied  is  irrelevant.  Such  details  may  safely  be  omitted  from  the  programme, 
yielding  a  more  economic  mode  of  expression.  For  those  who  truly  desire  to 
control  all  the  details,  a  variant  syntax  that  makes  Contraction  and  Weakening 
explicit  is  given  at  the  end. 

Another  approach  to  giving  a  syntax  for  linear  logic  based  on  LU  appears 
in  more  recent  work  [Wad93].  That  paper  presents  a  more  tutorial  introduction: 
it  is  based  on  natural  deduction  rather  than  sequent  calculus,  so  it  takes  less 
advantage  of  pattern  matching,  and  it  stresses  the  syntactic  aspects  of  proof 
reduction  while  ignoring  the  semantics. 

The  remainder  of  this  paper  is  organised  as  follows.  Section  2  presents 
Abramsky’8  syntax.  Section  3  presents  Seely’s  semantics.  Section  4  presents  the 
new  syntax.  Section  5  compares  the  new  syntax  with  Girard’s  Logic  of  Unity. 
Section  6  sketches  some  variations  on  the  new  syntax. 

2  Old  syntax 

For  simplicity,  we  restrict  ourself  to  the  connectives  <g>  (tensor  product),  — o 
(linear  implication),  &  (product),  and  !  (of  course).  A  type  (or  proposition)  is 
built  from  these  connectives  and  base  types. 

A,  B,  C  ::=  X  \  (A  <g>  B)  |  (A  -o  B)  \  (A  k  B)  \  \A 

Let  A,  B,C  range  over  types,  and  X  range  over  base  types. 

For  each  of  these  types,  there  are  terms  to  construct  and  destruct  values  of 
that  type. 

t,  u  ::=  x  |  ( t ,  u)  |  (let  (x,  y)  =  t  in  u)  |  (Ax.  <)  |  (t  u)  | 

( t ,  «)  |  (let  (x, _ )  =  t  in  «)  |  (let  (_,  y)  =  t  in  u)  | 

!<  |  (let  !x  =  t  in  u)  j  (let  (x@y)  =  t  in  u)  |  (let  _  =  t  in  u) 
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Let  i,  u  range  over  terms,  and  f,x,y,z  range  over  variables.  The  use  here  of 
‘let  (x,  y)  =  t  in  a’  in  comparison  with  Abramsky’s  ‘let  t  be  x  <g>  y  in  «’  merely 
reflects  a  preference  for  the  traditional  notation,  not  any  significant  difference. 

An  assumption  has  the  form  xi  :  At,  ...,  r„  :  A „  where  all  the  variables 
sure  distinct,  and  n  >  0.  Let  T  and  A  range  over  assumptions.  Write  r,  A  for 
the  catenation  of  two  assumptions;  whenever  this  appears  it  is  assumed  that  the 
variables  of  r  and  A  are  disjoint.  Finally,  a  judgement  has  the  form  f  h  t  :  A. 

The  rules  for  this  version  of  linear  logic  are  shown  in  Figure  1.  Each  rule  has 
zero  or  more  hypotheses  above  the  horizontal  line,  and  a  conclusion  below.  There 
is  one  rule  for  each  term  form,  with  the  exception  of  the  two  rules  Exchange  and 
Cut.  The  Exchange  rule  expresses  that  the  order  of  assumptions  is  irrelevant. 
The  Cut  rule  uses  the  notation  u[t/x]  to  stand  for  the  term  derived  from  u  by 
substituting  t  for  all  occurrences  of  x . 


^  x  :  A  I-  x  :  A 


Exchange 


r,  x  :  A,  y  :  B,  A  bt  :  C 
r,  y  :  B,  x  :  A,  A  h  t  :  C 


^  ^  T  \r  t  :  A  x  :  A,  A  H  u  :  B 
u  r,  A  h  u[t/x] :  B 

„  D  f  I-  (  :  A  A  b  u  :  B  -  r,  x  :  A,  y  :  B  h  t :  C 

r,  Ah(t,u)  :(A<g)B)  r,  =  t)  :  C 

_  r,  x  :  A\-  t  :  B  T  fH:X  y :  B,  A  h  u  :  C 

r  h  (Ax.  t)  :(A-o  B)  "°"L  T,  f  :  (A  ~o  B),  A  h  o[(/  t)/y]  :  C 

X,  R  r  H  1  ■  A  r\-  u  :  B 
rh(t,u):(AScB) 


_ r,  x  :  A  \-t.C _ 

r,  z  ■.  (A  &c  B)  (let  (x,_)  =  *  in  t)  :  C 


_ r,  y  :  BV-  t  -.C _ 

r,  z  :  (A  &  B)  f-  (let  (_,  y)  =  z  in  t)  :  C 


Promotion 


Contraction 


x,  ilAi,  ....  Xn  :  Mn  h  t  :  B 
Xi  :  \A, . xn  :  \An  h\t  :\B 

r,  z-.'.A,  y:\A\- t:  B 
r,  z  :  !A  H  (let  (x@y)  ss  z  in  t)  :  B 


Dereliction 


_ f,  x  :  A  I-  t  :  B _ 

f,  z  :  \A  H  (let  !x  =  *  in  t) :  B 


Weakening 


_ ry-t-.B _ 

jT,  z  :  !j4  I-  (let  _  =  z  in  t)  :  B 


Fig.  1.  Old  syntax 


The  rules  are  given  in  sequent  calculus  style,  so  constructors  are  represented 
by  rules  (such  as  <8>-R)  where  the  connective  appears  in  the  consequent  of  the 
conclusion  (to  the  right  of  b),  and  destructors  are  represented  by  rules  (such  as 
0-L)  where  the  connective  appears  in  the  antaceedent  of  the  conclusion  (to  the 
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left  of  b).  Promotion  constructs  a  term  with  ‘of  course’  type:  it  is  a  !-R  rule. 
Dereliction  uses  a  variable  with  ‘of  course’  type  once,  Contraction  duplicates  it, 
and  Weakening  discards  it:  we  refer  to  these  collectively  as  !-L  rules. 

The  -o-L  rule  only  allows  one  to  apply  a  variable  to  a  term.  Readers  may  be 
more  familiar  with  the  application  rule  of  Natural  Deduction,  which  allows  one 
to  apply  a  term  to  a  term. 


— o-E 


r  h  t  :  (A  —o  B)  A\-  u  \  A 

r,Ah(tu):B 


This  rule  is  derived  as  follows. 


- Id 

A\-  u  :  A  y  :  B  b  y  :  B 

rhi-.(A-oB)  A,  f  :  (A  -o  B)  b  (/  «)  :  B 

- Cut 

r,  A\-  (iu)  :  B 

Note  the  central  role  played  here  by  Cut.  Sequent  and  natural  deduction  versions 
of  linear  calculus  are  presented  and  shown  equivalent  by  Lincoln  and  Mitchell 
[LM92].  Various  mixtures  of  the  two  systems  have  been  used  by  various  re¬ 
searchers  [BBdPH92,  CGR92,  Wad90,  Wad91]. 

Here  are  a  few  example  judgements. 


b  (Ax.  Ay.  let  _  =  y  in  x)  :  A  — o  IB  — o  A 

b  (Ar.  As.  Ax.  let  !/  =  r  in  let  \g  —  s  in  let  ( y@z )  —  x  in  /  y  l(g  z))  : 

!(!A  -o  IB  ~o  C)  -©  !(!A  -o  B)  -o \A  -o  C 
b  (Ax.  let  (y,  z)  =  x  in 

!(let  !r  =  y  in  let  _  =  z  in  r,  let  !s  =  z  in  let  _  =  x  in  s))  : 
(!A<g>L0)-o!(A&5) 


Because  of  the  Cut  rule,  an  unnerving  property  of  this  system  is  that  terms 
do  not  uniquely  encode  derivations.  For  example,  the  judgement 


z  :  \\A  b  !(let  !x  =  z  in  x)  :  !!A 

has  the  derivation 


x  \  \A\-  x  :\A 


Id 


(*) 


z  :\\A\~  (let  !x  =  z  in  x)  :  \A 


z  :  UA  b  !(let  lx  =  z  in  x)  :  \\A 


Dereliction 

Promotion 


and  also  the  derivation 

(**) 


Id 


Id 


x  :  \A  b  x  :  IA  y  :  \A  b  y  :  lA 

Dereliction  - Promotion 


z  :  HA  b  (let  !x  =  z  in  x)  :  !A 


y  :  \A  b  !y  :  !!A 


Cut 


z  :\\A  b  !(let  !x  =  z  in  x)  :  !!A. 

At  first  this  may  seem  vaguely  disturbing.  We  shall  see  shortly  that  it  is  pro¬ 
foundly  disturbing,  because  each  of  these  derivations  is  attached  to  a  different 
semantics. 


I 
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3  Semantics 

This  section  presents  Seely’s  model  of  linear  logic,  restricted  to  the  case  of  in- 
tuitionistic  linear  logic.  Seely’s  model  is  normally  thought  of  as  deriving  from 
♦-autonomous  categories,  but  the  dualising  object  ♦  is  only  required  to  model 
classical  linear  logic. 

Anticipating  that  objects  will  model  types  and  assumptions,  and  that  arrows 
will  model  terms,  let  A,  B,  C  and  r,  A  range  over  objects,  and  t,u,v  range  over 
arrows. 

A  model  of  intuitionistic  linear  logic  is  provided  by  a  category  with  the 
following  structure. 

—  It  is  symmetric  monoidal  closed,  with  unit  object  1 ,  tensor  <g),  and  internal 
horn  -o.  The  transpose  of  t  :  r  <g>  A  — >  B  is  curry(t)  :  T  — *  (A  ~o  B),  and 
the  counit  is  apply  :  (A  -o  B)  ®  A  — ►  B. 

—  It  possesses  finite  products,  with  terminal  T  and  product  &.  The  unique 
arrow  to  the  terminal  is  {)  :f-*T,  the  mediating  morphism  of  t  :  T  — *  A 
and  u  :  f  — ►  B  is  {t,  a)  :  f  — *  A&B,  and  the  projections  are  fst  :  Ak.B  — ►  A 
and  snd  :  A  &  B  — ►  B. 

-  It  possesses  a  comonad  !.  The  Kleisli  operator  of  i  :  \A  — *  B  is  kleisli(t)  : 
\A  — *•  IB,  and  the  counit  is  counit  :  \A  — ►  A. 

-  There  are  isomorphisms  1  ~  !T  and  IA  <g>  \B  ~  !(A  &  B).  These  induce  a 
comonoid  structure  on  each  object  \A  that  is  natural  in  A,  given  by 


discard  '■( ) 

\A  - >  1  =  IA  - >  !T  ~  , 

duplicate  '.ltd, id) 

\A - ►  \A  ®  \A  =  \A - ♦  \(A  &  A)  ~  \A  ® \A. 


A  categorical  model  is  obtained  by  associating  with  each  base  type  an  object 
in  our  category,  inducing  a  map  from  types  to  objects.  Write  A  for  both  a 
type  and  its  corresponding  object.  Each  assumption  r  =  :  Aj ,  . . . ,  xn  :  An 

possesses  a  corresponding  object  r=Aj®---®An;  the  empty  assumption 
corresponds  to  the  unit  object  1 . 

Each  judgement  r  \-  t  :  A  corresponds  to  an  arrow  t  :  P  — >  A.  Fig  are  2 
shows  how  each  derivation  induces  an  arrow  which  is  its  semantics. 

Since  a  given  judgement  may  have  more  than  one  derivation,  we  must  verify 
that  all  possible  derivations  of  a  judgement  assign  it  the  same  semantics.  This 
property  is  called  coherence,  and  its  importance  was  noted  by  Breazu-Tannen, 
Coquand,  Gunter  and  Scedrov  [BCGS91].  In  our  case,  two  derivations  of  a  judge¬ 
ment  can  differ  only  in  their  use  of  the  Exchange  or  Cut  rules,  since  uses  of  all 
other  rules  are  encoded  in  the  term.  Coherence  is  guaranteed  for  Exchange  by 
the  fact  that  <g>  is  symmetric  monoidal. 

Unfortunately,  the  Cut  rule  does  indeed  introduce  incoherence,  when  used 
in  conjunction  with  Promotion.  The  derivation  (♦)  given  previously  induces  the 
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— o-L 


id — a — 

A  —  A 


Exchange  - 


r®A®B®A~>C 


Cut 


r®B®A®Ac±r®A®B®  A  ^  C 
r  A  A®A~B 


t$t4  u 

r®  A - .  A®  A  —  B 


®-K 


r  —  A  A  —*  B 

~  t&u 

r®A  — -  A®B 


o-R 


®-L- 


r®A®B->  c 


r ®(a®  b)  ~  r ®  a®  b  — »  c 
r®A-^B 


f.urry(t) 

r - .  (a-*b) 


r  —  A  B  ®  A  —*  c 

apply  Qtd  u 

r  ®  (A  -o  #)  ®  A - ►  A  ®  {A  — o  J5)  0  A  ^  (.4  — o  B)  ®  .4  ®  ^ - *  B  ®  A  — ►  i 


&-R 


r  ^  a  r  —+  b 
<*,«) 

r — » (AkB) 


&-L 


r®A-*c 


r®B-*c 


*4®/«t  t  i4Q*nd  t 

r®(AhB) - c  r®(>4fcR) - >r®B->c 


Promotion 


!4>  ®  •  •  •  ®  lAn  a  !(^'  &  ■  •  ■  fe  -4n)  — >  B 


\Ai  ®  ■■■  ®  '.An  ^  '-(A,  &  •  ••  k  An) 


klauli(t) 


B 


Dereliction 


r®A->B 


idQcaunit  t 

r®\A - -  r®  a  —  b 


Contraction 


r®!A®!A  —  B 


idQduplir.atc  t 

r®\A - -  r  ®  {\a  ®  !v4)  ~  r  ®\a  ®\a  -+  b 


Weakening 


f®!A 


r  ->  b 

TTsrfTTT^TT 


b 


Fig.  2.  Semantics 


semantics 


Id 


td 

\A  —  !i4 

,  v  - Dereliction 

W  !U  ^  m 

- Promotion 

ftie«sf»(  counit) 

!!A - 1  \\A. 

The  derivation  (**)  given  previously  induces  the  semantics 


(**) 


counit 


Id 


Dereliction 


!!A - ►  \A 


- - Id 

'.A  '-t  \A 


kleisli(id) 

\A - *  \\A 


counit  kleisli(id) 

\\A - ►  \A - *  HA. 


Promotion 

Cut 


These  are  not  necessarily  equal.  The  arrow  for  (*)  is  necessarily  the  identity,  but 
the  arrow  for  (**)  is  not.  We  thus  have  the  following. 

Counterexample.  The  syntax  of  Figure  1  is  not  coherent  with  the  se¬ 
mantics  of  Figure  2. 

This  problem  arises  only  with  the  Promotion  rule. 


Theorem.  The  syntax  of  Figure  1  is  coherent  with  the  semantics  of 
Figure  2  if  Promotion  is  not  used.  If  a  term  does  not  contain  !  as  a 
constructor,  then  all  derivations  of  it  will  have  the  same  semantics,  even 
if  they  use  Cut. 


The  proof  is  by  examination  of  overlapping  rules. 

All  of  the  variations  of  Abramsky’s  syntax  cited  above  suffer  from  this  prob¬ 
lem  in  one  form  or  another.  In  a  natural  deduction  system,  this  problem  reveals 
itself  in  a  failure  of  the  Substitution  Lemma:  substitution  does  not  commute  with 
Promotion  [Wad92].  The  same  difficulty  is  at  the  root  of  problems  that  Lincoln 
and  Mitchell  [LM92]  and  Chirimar,  Gunter,  and  Riecke  [CGR92]  encountered 
with  Subject  Reduction  theorems,  forcing  them  to  be  restricted  in  various  ways. 

One  way  to  fix  the  problems  is  to  restrict  the  class  of  categorical  models.  In  an 
earlier  paper  [Wad92] ,  it  was  shown  that  substitution  commutes  with  Promotion 
if  and  only  if  the  categorical  model  satisfies  countt;  kleisli(id)  =  id.  This  is  not 
very  satisfactory,  as  none  of  the  models  cited  at  the  beginning  of  this  paper 
satisfy  this  restriction.  Nonetheless,  similar  restrictions  appears  in  the  work  of 
O’Hearn  [0’He91]  and  Filinski  [Fil92],  and  this  may  explain  why. 

Another  fix  is  to  revise  the  syntax  of  Promotion,  so  that  it  records  explicitly 
what  substitutions  have  occured.  This  suggestion  has  been  made  by  Benton, 
Bierman,  de  Paiva,  and  Hyland  [BBdPH92]  and  by  Reddy  [Red91].  The  syntax 
of  promotion  is  changed  so  that  the  term  !<  is  replaced  by  ![«i/xi , . . . ,  u„/xn]t, 
where  Xj,...,xn  are  all  the  free  variables  of  t.  Here  the  square  brackets  are 
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concrete  syntax;  this  concrete  syntax  is  chosen  to  resemble  the  meta-syntax  for 
substitution,  since  the  roles  are  similar.  The  revised  Promotion  rule  is  as  follows. 


Promotion' 


_ x/  :  \Atl  ...,  x„ :  !A„  hi  :  B _ 

Zj  .  \Ai ,  .  .  . ,  Zn  .  lAn  P  /xj  ,  .  .  . ,  Zfi/ Xii\t  1  B 


After  promotion,  the  free  variables  of  the  term  are  zt , . . . ,  zn,  and  any  substitu¬ 
tions  for  these  variables  will  be  explicit  in  the  term.  By  acting  as  a  barrier  to 
substitution,  the  new  syntax  performs  much  the  same  role  that  boxing  does  in 
proof  nets  [Gir87].  It  is  possible  to  show  that  this  ‘boxed’  syntax  is  coherent:  all 
derivations  of  a  term  have  the  same  semantics. 

Returning  to  our  example,  the  first  derivation  becomes 


(*) 


z 


- Id 

r  :  !A  h  z  :  !A 

- Dereliction 

y  :  HA  h  (let  !x  =  y  in  x)  :  !A 

- Promotion' 

:  HA  h  ?[x/y](let  !x  =  y  in  x)  :  HA 


and 

<**) 


the  second  becomes 

- Id  - Id 

x  :  !A  I-  x  :  !A  y  :  !A  H  y  :  !A 

- Dereliction  - 

z  :  !!A  I-  (let  !x  =  z  in  x) :  !A  w  :  l A  H  \[w(y]y  :  HA 

z  :  HA  H  ![(let  !x  =  z  in  x)/y]y  ■  HA. 


Promotion' 

Cut 


Now  the  terms  are  different,  so  it  is  not  a  problem  that  they  are  assigned  different 
semantics. 

The  key  idea  here  is  that  there  is  a  barrier  around  Promotion  indicating  what 
substitutions  occur.  The  next  section  will  reveal  a  different  syntax  that  erects  a 
similar  barrier. 


4  New  syntax 

The  new  syntax  makes  three  significant  changes.  First,  it  introduces  a  notion  of 
pattern.  Whereas  previously  assumptions  paired  variables  with  types,  now  they 
will  pair  patterns  with  types.  Second,  the  various  instances  of  ‘let’  that  appeared 
previously,  associated  with  the  ®-L,  &-L,  and  !-L  rules,  are  now  all  consolidated 
into  a  single  ‘let’.  Third,  there  is  no  explicit  indication  of  Contraction  or  Weak¬ 
ening  in  the  terms.  (This  third  change  is  convenient  but  not  essential,  and  we 
will  see  how  to  undo  it  in  the  next  section.) 

For  each  type,  there  is  now  a  term  to  construct  values  of  that  type,  and  a 
pattern  to  destruct  values  of  that  type.  The  exception  is  -o,  which  has  terms  for 
both  construction  and  destruction.  There  is  also  a  ‘let’  term. 

P,9  ::=x  |(p,«)|(p,J  |  (_,?)  I-1* 

i, «  ::=  x  |  (f, «)  |  (\p.  t )  i  (f  u)  |  ( t ,  s)  |  \t  \  (let  p  =  t  in  «) 

Let  p,q  range  over  patterns,  t,  u  range  over  terms,  and  f,x,y,z  range  over 
variables.  Note  that  patterns  for  the  types  ®  and  k  may  be  nested,  but  patterns 
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for  the  type  !  may  not.  We  will  see  below  that  this  system  guarantees  coherent 
semantics,  but  that  if  nested  !  patterns  were  allowed  then  coherence  would  again 
be  lost. 

An  assumption  now  has  the  form  pi  :  A  j , . . . ,  p„  :  An  where  n  >  0  and  no 
variable  appears  more  than  once  in  all  of  the  patterns  combined.  Again,  let  T,  A 
range  over  assumptions,  and  judgements  have  the  form  r  h  t  :  A. 

The  rules  for  this  version  of  linear  logic  are  shown  in  Figure  3.  With  the 
exception  of  the  new  rule  Let,  there  is  a  one-to-one  correspondence  between 
rules  in  the  old  syntax  and  rules  in  the  new  syntax.  The  ®-L,  &-L,  and  !-L  rules 
now  all  introduce  patterns  rather  than  ‘let’  terms.  The  introduction  of ‘let’  terms 
has  been  factored  out  into  a  separate  Let  rule.  The  three  !-L  rules  all  introduce 
the  same  pattern,  so  there  is  no  explicit  indication  of  Contraction  or  Weakening. 
The  appearance  of  !  patterns  in  Contraction  helps  to  explain  the  restriction  to 
variables,  since  this  makes  the  substitution  associated  with  Contraction  easier 
to  express.  Promotion  is  changed  so  that  in  addition  to  requiring  that  all  types 
in  the  assumption  begin  with  a  !,  all  patterns  in  the  assumption  must  also  do 
so. 

This  last  change  is  the  critical  step  -  the  !  patterns  will  act  as  a  barrier  to 
substitution,  just  as  the  ‘boxed’  syntax  at  the  end  of  the  last  section  did.  What 
was  written  ![bj  /zj  , . . . ,  un/xn\t  in  the  boxed  syntax  is  here  written 

let  lyi  =  uj  in  •  ••  let  \y„  =  a„  in  <[!yi /*/,...,  !y„/ x„]. 

Note  that  is  concrete  syntax,  whereas  t[\y,/x,}  is  meta-syntax  for  sub¬ 

stitution.  Although  here  the  new  syntax  appears  less  compact  than  the  boxed 
syntax,  in  practice  the  new  syntax  will  often  be  more  compact  because  of  pattern 
matching,  and  because  Contraction  and  Weakening  are  not  explicitly  indicated. 

The  Let  rule  has  no  logical  content,  as  erasing  the  terms  from  the  hypothesis 
or  the  conclusion  gives  the  same  logical  judgement,  r,A\-B.  Indeed,  the  Let 
rule  can  be  simply  considered  a  convenient  abbreviation,  as  it  can  be  derived 
from  the  — o  rules  and  Cut. 


- Id  - Id 

r,  p  :  Ah  u  :  B  n  x  :  Ah  x  :  A  y  :  B  h  y  :  B  ^ 

r  H  (Ap.  ti)  :  (A  — o  B)  ~°"  f:(A-oB),x:A\-(fx):B  ° 

- Cut 

r,  x  :  A  t~  ((Ap.  u)  x)  :  B 

Thus,  we  can  take  (let  p  =  x  in  a)  as  an  abbreviation  for  ((Ap.  u)  z). 

The  rules  in  Figure  2  for  assigning  a  semantics  to  the  derivation  of  a  term  still 
apply.  The  Let  rule  assigns  the  judgement  in  the  conclusion  the  same  semantics 
as  the  judgement  in  the  hypothesis. 

Theorem.  The  syntax  of  Figure  3  is  coherent  with  the  semantics  of 
Figure  2. 

The  proof  is  by  examining  the  possible  overlaps  between  rules. 
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Id 


Exchange 


Cut 


x  :  Ah  x  :  A 

n-  t  .A  x:  A,  A  hu:B 
r,  Ah  u[t/x] :  B 

r  h  t :  A  Ahu:B 


f,  p  :  A,  q  :  B ,  A  b  t  :  C 
r,  q  :  B,  p  :  A,  Ah  t  :  C 

r,  p  :  A  h  u  :  B 


®-R 


o-R 


r,  Ah  (t,  u) :  (A  ®  B) 
r,  p  :  Ah  t  :  B 


Let 


®-L 


r,  x  :  Ah  (let  p  =  x  in  u)  :  B 

r,  p  :  A,  q  :  B  h  t  :  C 
r,  (p,  q)  :  (A  8  B)  h  t  :  C 


r  h  (Ap.  t)  :  (A  -o  B) 


r  h  t :  A  V  :  B,  A  h  u  :  C 
°'L  r,f:(A-oB),Ahu[(ft)/9]):C 


fc-R 


rht-.A  rhu.B 


&-L 


r  I-  (t,  u)  :  (A  L  B) 
r,  p  :  Aht  :C  r,  q  :  B  h  t  :  C 


r,  (p,  J  :  (A  &c  B)  h  t  :  C  f,  q)  :  (A  tz  B)  h  t  :  C 


Promotion 


\x,  :\Alt  -'-Anh  t  :  B 

\x,  :  \A,,  ....  !x„  :  \An  hlf.'.B 


Dereliction 


r,  z  :  Ah  t  :  B 
r,  \z  :  \Ah  t  :  B 

r  h  t  :  B 


„  x  .  r,  \x  :  A,  \y  :  Ah  t  :  B  ,  . 

C°ntraCt,0n  r,\z:Aht[z/x,z/y}:B  Weake™S  T,  \z  :  M  b  t  :  B 


Fig.  3.  New  syntax 


Here  are  the  example  judgements  of  Section  2  revisited, 
b  (Ax.  A!y.  x)  :  A  — o  !J3  -o  A 

b  (A!/.  A \g.  Ux.f'.x  \(g  !x))  :  !(M  -o  IB  -o  C)  -o  !(!>t  -o  B)  -o  \A  -o  C 
h  (A(!r,  !s).  !(r,  a))  :  (M  ®  !fl)  -o  \(A  k  B) 

The  new  syntax  is  considerably  more  compact. 

Returning  to  our  main  example,  the  first  derivation  becomes 


(*) 


- Id 

z:\Ah  z:\A 

- Dereliction 

\z  :  !M  b  a  :  \A 

- Promotion 

!z  :  WAh'.z  :  "A. 


The  second  derivation  is  no  longer  valid.  The  Promotion  rule  no  longer  ap¬ 
plies,  because  it  contains  patterns  not  in  the  proper  form.  In  order  to  obtain  the 
same  semantics  as  previously,  the  derivation  must  be  rewritten.  The  old  use  of 
the  Id  rule,  which  yielded  x  :  IA  b  x  :  l A,  is  replaced  with  a  use  of  Id,  Dereliction, 
and  Promotion,  which  yields  !y  :  \A  b  !y  :  \A.  Both  derivations  have  the  same 


( 
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semantics  (the  identity  arrow),  but  further  promotion  is  only  possible  for  the 
latter. 


(**) 


- Id 

z:\A\-2-.\A 

- Dereliction 

!z  :  !!A  h  z  :  \A 


- Id 

z  :  A  h  z  :  A 

- Dereliction 

tz  :  !A  h  z  :  A 

- Promotion 

!x  :  \A  h  !x  :  \A 

- Promotion 

\z  :  \A  K  !!x  :  \\A 

- Let 

w  :  \A  (-  let  \z  =  w  in  !!x  :  !!A 
- Cut 


\z  :  !!v4  (-  (let  !x  =  z  in  !!x)  :  !!A. 


The  new  (*)  and  (**)  have  the  same  semantics  as  the  old.  As  with  the  boxed 
semantics,  we  now  have  distinct  terms  yielding  distinct  semantics.  Every  old 
derivation  carries  into  a  new  derivation  with  the  same  semantics;  the  only  change 
needed  may  be  to  replace  some  uses  of  Id  with  Id,  Dereliction,  and  Promotion, 
as  above;  and  to  add  some  uses  of  Let. 

If  nested  !  patterns  were  allowed,  the  coherence  property  would  again  be  lost. 
Consider  the  (illegal)  judgement  !!x  :  \\A  h  !x  :  \A.  There  are  two  different  proof 
trees  that  yield  this  judgement.  The  first  applies  rules  in  the  order  Id,  Derelict, 
Promote,  Derelict  and  has  semantics  counit,  kleisli(counit),  which  simplifies  to 
count* .  The  second  applies  rules  in  the  order  Id,  Derelict,  Derelict,  Promote  and 
has  semantics  kleisli(counit;  counit),  which  does  not  simplify  to  counit.  Hence 
the  restriction  that  !  patterns  cannot  be  nested.  There  is  no  similar  problem  for 
®  or  &  patterns. 

Since  there  are  no  longer  explicit  terms  for  Contraction  and  Weakening,  these 
must  be  checked  for  coherence.  Coherence  here  is  guaranteed  by  the  fact  that 
discard  and  duplicate  form  a  comonoid:  duplicating  and  then  discarding  is  the 
same  as  the  identity;  two  duplications  in  different  orders  have  the  same  meaning, 
and  so  on.  The  situation  is  very  similar  to  that  for  Exchange,  and  indeed  there 
appears  to  be  no  more  reason  for  textually  indicating  each  use  of  Contraction 
or  Weakening  than  there  is  for  indicating  each  use  of  Exchange. 

The  new  syntax  satisfies  a  pleasing  number  of  equivalences.  In  the  case  where 
the  ‘let’  is  simply  binding  a  variable,  it  can  be  replaced  by  substitution.  Further, 
whenever  a  constructor  meets  a  corresponding  destructor,  it  can  be  substituted 
out.  Finally,  ‘let’  satisfies  a  pair  of  familiar  laws.  All  these  points  are  summarised 
in  the  following. 


Theorem.  The  following  equations  hold  for  the  syntax  of  Figure  3  with 
the  semantics  of  Figure  2. 


V) 

(let 

x  =  t  in 

u)  = 

u[t/x) 

(2) 

(let 

(P.«)  = 

(<,«)  in 

V)  = 

(let  p  = 

t  in 

(let 

( s ) 

((Ap.  u)t)  = 

(let  p  — 

t  in 

«) 

(4) 

(let 

<P.J  = 

(t,u)  in 

v)  = 

(let  p  = 

t  in 

«) 

(S) 

(let 

<->«>  = 

(*.«) 

v)  = 

(let  q  = 

u  in 

v) 

(6) 

(let  !: 

r  =  !<  in 

u)  = 

u[t/x] 

(7) 

(let 

p  =  t  in 

p)  = 

t 

(*) 

(let  q  =  (let  p  =  t 

in  u)  in 

v)  = 

(let  p  = 

t  in 

(let 

These  laws  assume  no  collision  of  bound  variables;  e.g.,  in  law  (2),  the 
free  variables  of  «  must  not  be  bound  in  p . 

Law  (1)  is  immediate  from  coherence.  Laws  (2)-(6)  and  (8)  follow  immediately 
from  the  categorical  semantics.  Law  (7)  is  proved  by  induction  on  the  pattern. 

Here  are  equations  (6)-(8)  again,  with  the  last  two  instantiated  to  the  special 
case  of !  patterns. 

(let  !x  =  !<  in  u)  =  u[t/x] 

(let  \x  =  t  in  \x)  =  t 

(let  \y  =  (let  \x  =  i  in  u)  in  t>)  =  (let  \x  =  t  in  (let  \y  =  u  in  »)) 

These  are  reminiscent  of  the  three  equations  satisfied  by  Moggi’s  calculus  for 
monads  [Mog89].  For  our  syntax  the  first  equation  depends  on  the  right  counit 
law  for  comonads  and  the  second  equation  depends  on  the  left  counit  law  for 
comonads;  while  for  Moggi’s  calculus  the  first  equation  depends  on  the  left  unit 
law  for  monads,  and  the  second  equation  depends  on  the  right  unit  law  for 
monads.  However,  the  analogy  goes  awry  with  the  third  equation.  Moggi’s  last 
equation  depends  on  the  associative  law  for  monads,  while  our  last  equation  has 
nothing  to  do  with  the  associative  law  for  comonads.  (However,  the  associative 
laws  for  comonads  is  important  in  verifying  the  coherence  of  the  new  syntax.) 

5  Logic  of  Unity 

The  system  described  here  is  closely  related  to  Girard’s  Logic  of  Unity  (LU) 
[Gir91].  Indeed,  it  was  inspired  by  it:  the  trick  that  avoids  coherence  problems 
was  stolen  from  LU.  To  clarify  the  relation,  this  section  present  an  appropriately 
simplified  version  of  LU.  Major  differences  from  Girard’s  LU  are  that  this  version 
is  restricted  to  the  intuitionistic  fragment,  and  there  are  no  polarities. 

In  this  variant  of  LU,  there  are  two  sorts  of  assumptions,  linear  and  intu¬ 
itionistic.  Linear  assumptions  pair  patterns  with  types,  so  they  have  the  form 
Pi  :  A i,  ..  ,p„  :  An,  while  intuitionistic  assumptions  pair  variables  with  types, 
so  they  have  the  form  xt  :  Aj,  ...xn  :  An.  Linear  assumptions  may  not  be 
contracted  or  weakened,  while  intuitionistic  assumptions  may.  The  Contraction 
rule  is  much  more  neatly  expressed  in  terms  of  variables  because  it  involves 
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substitution,  which  partly  explains  the  restriction  to  variables  in  intuitionistic 
assumptions.  Let  F,  A  range  over  linear  assumptions,  and  $,  range  over  intu¬ 
itionistic  assumptions.  A  judgement  has  the  form  F;  #  h  t  :  A,  where  the  linear 
and  intuitionistic  assumptions  are  separated  by  a  semicolon. 

The  rules  for  this  variant  of  LU  are  shown  in  Figure  4.  There  is  a  close 
correspondence  with  our  new  syntax  of  Figure  3,  here  called  LL  for  short.  The 
previous  Id  rule  is  split  into  two  rules,  Id  and  Id-Int,  the  first  dealing  with  a 
linear  assumption  and  the  second  dealing  with  an  intuitionistic  one.  Similarly, 
the  previous  Exchange  rule  is  split  into  Exchange  and  Exchange-Int.  The  logical 
rules  for  <8>  and  — o  deal  with  linear  assumptions.  Promotion  and  Deriliction  are 
logical  rules  of !  and  deal  with  the  relation  between  the  two  sorts  of  assumptions, 
while  Contraction  and  Weakening  have  metamorphosed  from  logical  rules  of !  to 
structural  rules  dealing  with  intuitionistic  assumptions. 


Id 


x  :  A;  b  x  :  A 


Id-Int 


;  x  :  A  b  x  :  A 


r,  L  r,  p  :  A,  q  :  B,  A;  $  b  t :  C  ^  t  T  4  F;  #,  x  :  A,  y  :  B,  'if  b  t  :  C 
Exchange  T,q,BTp-.A7A^bt-,-C-  ExchangC-Int  rV^y:B,x:A^bt~C 


Cut 


r-,$bt:A  x  :  A,  A;  &  b  u  :  B 
F,  A;  #,  9  b  u[t/x\ :  B 

r,  $b  t  :  A  A;  #bu:B 


®-R 


F,  A;  $,#b(t,u)  :(A®B) 


Let 


®-L 


F,  p  :  A;  $  b  u  :  B 


F,  x  :  A;  $  b  (let  p  =  x  in  u)  :  B 
r,p:A,q:B;$bt:C 


— o-R 


r,  p  :  A\  $b  t  :  B 


— o-  L  • 


r,(p,q):(A®B)-,*bt:C 
r,  $  b  t  :  A  y  :  B,  A;  #  b  u  :  C 


F;  $  h  (\p  t) :  ( A  -o  B)  F,  /  :  (A  -o  B),  A;  &  b  u[(f  *)/»]) :  C 

r;  $b  t  :  A  F;  #  I-  u  :  B 


Sc-  L 


&*R  F;  (t,u)  :  (A  Sc  B) 
r,  p  :  A;  $b  t  :  C  F,  9  :  B;  $b  t  :  C 


F,  {P,  J  :(AScB);  $b  t:C  F,  q)  :  (ASc  B)\  $b  t  :  C 


Promotion 


;  <P  b  t :  B 
;  #h  '.t  -.'.B 


Dereliction 


r,\z:\A-,$bt:B 
F;  z  :  A,  $  h  t  :  B 


r,  F;  x  :  A,  y  :  A  b  t  :  B  ,  .  F;#ht:f? 

C°ntraCt,0n  F;  *,z7Abt[z/x,z/y\:B  Weakenln«  h  *,  z  :  A  b  t~B 


Fig.  4.  A  version  of  the  Logic  of  Unity 


It  is  possible  to  translate  LU  into  LL.  A  judgement  of  the  form  F;  P 
t  :  A  in  LU  corresponds  to  a  judgement  F,  ].<P  b  t  :  A  m  LL,  where  if  4>  is 


Xi  :  Aj,  j4«  then  !#  is  \x,  :  \A,,  .  .,  !x„  :  !A„. 

Each  rule  in  LU  corresponds  to  the  rule  of  the  same  name  in  LL,  with  two 
spectacular  exceptions.  Id-Int  in  LU  translates  to  a  combination  of  Id  and  Der^ 
liction  in  LL. 


Id-Int 


;  x  :  A  h  x  :  A 


x  :  A  h  x  :  A 
!x  :  IA  h  x  :  A 


Id 

Dereliction 


On  the  other  hand,  both  the  hypothesis  and  conclusion  of  the  Dereliction  rule 
of  LU  translate  to  the  same  judgement  of  LL. 


Dereliction 


r,  \z  :  L4;  $  H  t  :  B 
r,  z  :  A,$\-  t  :  B 


r,  \z  :  ! A,  !«£  b  t  :  B 


Thus  Id-Int  in  LU  corresponds  to  Dereliction  in  LL,  while  Dereliction  in  LU 
corresponds  to  nothing  at  all! 

The  translation  induces  the  obvious  semantics:  the  semantics  of  a  judgement 
in  LU  is  the  the  same  as  the  semantics  of  the  corresponding  judgement  in  LL. 
Analogues  of  the  theorems  of  Section  4  hold. 

There  are  a  number  of  rules  which  one  would  expect  of  LU,  which  can  be 
derived  from  the  rules  given  here.  The  most  important  of  these  is  Cut-Int. 


Cut-Int 


;  #  h  t  :  A  A,  x  :  A,  $  u  -  B 


A;  t-  (let  !z  =  !<  in  a)  :  B 
This  rule  is  derived  as  follows. 

A;  x  :  A,  &  h  a  :  B 

;  <Pb  t  :  A 


;  <Pb  !<  :  \A 


Promotion 


A,  \x  :  \A\  V  h  «  :  B 


Dereliction 


A,  y  :  \A;  $  I-  let  \x  =  y  in  u  :  B 


Let 


A\  I-  (let  \x  =  !<  in  w)  :  B 

Observe  that  the  semantics  of  (let  \x  =  )t  in  a)  is  identical  to  the  semantics  of 
«[t/x],  which  may  offer  further  scope  for  simplification. 


6  Variations 

Many  programmers  are  unfamiliar  with  the  -o-L  rule  of  the  sequent  calculus,  and 
may  find  the  -o-E  rule  of  natural  deduction  more  natural.  On  the  other  hand, 
the  use  of  sequent  calculus  seems  to  naturally  capture  the  pattern  matching  in 
the  (8)  and  &  rules,  so  there  may  be  some  value  in  exploring  a  hybrid  of  the  two 
systems.  One  variation  would  simply  replace  the  -o-L  rule  by  -o-E.  This  might 
be  easier  for  programmers  to  follow,  though  important  logical  properties  such  as 
cut-elimination  would  be  lost. 
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The  work  presented  here  extends  straightforwardly  to  handle  sums. 


rht-.A 

n-(inlf)  :(A©fl) 


r  t-  U  :  B 

r  (-  (inr  u)  :  (A  0  B) 


r\-  z  :  (A®  B)  A,p:Aht:C  A,  q  :  B  t-  a  .  C 
r,  Ah  (case  z  of  {inlp  — >  t;  inr  q  —*  «})  :  C 

These  rules  do  not  exploit  the  power  of  pattern  matching  as  thoroughly  as  one 
might  hope;  for  instance,  patterns  of  the  form  (ini  p)  and  (inr  q)  cannot  appear 
nested  inside  other  patterns.  An  open  question  is  whether  there  is  a  different 
approach  that  allows  for  such  nested  patterns.  One  path  in  this  direction  is 
indicated  by  the  work  of  Breazu-Tannen,  Kesner,  and  Puel  [BTKP93]. 

Another  variation  is  to  include  patterns  to  indicate  Contraction  and  Weak¬ 
ening.  The  grammar  of  patterns  is  divided  into  patterns  and  of-course  patterns , 
the  former  being  a  superset  of  the  latter. 

p,  q  ::=  x  )  (p,  q)  j  (p,_)  |  (_,  q)  |  o 
o,  r  ::=  ( o@r )  |  _  j  \x 


Let  p,q  range  over  patterns,  and  o,r  range  over  of-course  patterns.  The  new 
rules  are  as  follows. 


Promotion 


Oi  :\AJt  on  :\Anh  t  :  B 
oj  :  !Aj,  ...,  o„  :  !An  h  \t  :  \B 


Dereliction 


r,  z  :  A  h  t  :  B 
r,  \z  ■  \A  hi-.B 


Contraction 


f,  o  :  A,  r  :  A  h  t  :  B 
f,  (o@r)  .  Ah  t  :  B 


Weakening 


rht  :B 
r,  _  :  \A  hi-.B 


Dereliction,  Contraction,  and  Weakening  introduce  the  three  different  sorts  of 
of-course  pattern,  while  Promotion  allows  any  of-course  pattern.  This  variation 
is  included  simply  to  illustrate  that  the  approach  used  here  does  not  preclude 
the  use  of  specific  patterns  to  indicate  Contraction  and  Weakening.  However, 
in  practice  there  does  not  seem  to  be  much  value  in  including  such  detailed 
information. 
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1  Introduction 


Salomaa  in  [4]  presented  a  complete  axiomatisation  for  language  equivalence  of  regular  expres¬ 
sions.  In  (2]  Milner  proposed  a  complete  proof  system  for  bisimulation  equivalence  over  finite 
state  behaviors.  Bisimulation  equivalence  is  a  very  discriminating  equivalence.  Later,  a  weaker 
equivalence,  called  observational  congruence,  was  considered  by  Milner  and  its  complete  ax¬ 
iomatisation  was  provided  in  [3].  Unlike  language  equivalence,  both  bisimulation  equivalence 
and  observational  congruence  distinguish  between  finite  state  behaviors  on  the  basis  of  their 
branching  structure. 

In  this  paper  trace  congruence  is  considered.  Trace  congruence  ignores  branching  structure 
and  is  close  to  language  equivalence  of  classical  automata  theory.  We  provide  a  complete  proof 
system  for  trace  congruence  over  finite  state  behaviors  presented  as  p-expressions. 

The  paper  is  organized  as  follows:  In  Section  2  finite  state  behaviors  are  described  as  p- 
expressions.  Section  3  introduces  trace  equivalence.  Unfortunately,  trace  equivalence  is  not 
substitutive.  Section  3  provides  a  characterization  of  the  fully  abstract  refinement  of  trace 
equivalence  which  we  call  trace  congruence.  A  proof  system  for  trace  congruence  is  presented 
in  section  4.  The  proof  of  its  completeness  is  given  in  section  6.  Section  5  contains  some 
definitions  which  are  helpful  for  the  completeness  proof. 

In  section  7  we  comment  about  the  relationship  between  our  axiomatisation  and  Salomaa's 
classical  axiomatisation  of  language  equivalence  for  regular  expressions.  One  of  the  open  ques¬ 
tions  mentioned  in  [2]  is  to  find  an  axiomatisation  of  bisimulation  equivalence  for  finite  state 
behaviors  presented  as  regular  expressions.  We  provide  such  an  axiomatisation  for  a  variant  of 
regular  expressions.  Two  appendixes  contain  the  proofs  of  technical  lemmas. 


2  //-Expressions 


We  are  dealing  in  this  paper  with  finite  state  behaviors  presented  as  p-expressions.  Let  us  first 
recall  some  definitions  and  facts  about  p-expressions  and  their  behaviors.  The  presentation  is 
based  on  [2,  3]. 
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We  presuppose  two  fixed  sets 

Act  =  {a,  rtj, . .  .6,  b], . . .}  the  actions 
Var  =  {.Y,  Xy , . . . Y,  T, , . . .}  the  variables. 

^-expressions  are  defined  by  the  following  grammar: 

E  ::=  0|A'|a£|£  +  E\nX.E,  where  X  6  Var,  a  e  Act. 

ft  stands  for  recursion  (binding  the  variable  which  follows  it).  The  notions  of  free  and  bound 
occurrences  of  a  variable  in  an  expression  are  defined  as  usual.  An  occurrence  of  X  is  guarded 
in  E  if  it  occurs  within  subexpression  aF  of  E.  A  variable  is  guarded  in  E  if  all  its  occurrences 
in  E  are  guarded. 

We  write  E{E\/X i,  •  ■  -.E„/A'n}  for  the  expression  obtained  by  simultaneous  substitution  of  E, 
for  each  free  occurrence  of  Af,  in  E,  renaming  bound  variables  as  necessary.  The  definition  is 
standard  and  is  omitted. 

An  expression  can  evolve  to  another  expression  by  performing  an  action.  We  write  E  E' 

if  E  can  evolve  to  E1  by  performing  action  a.  The  definition  of  the  transition  relation  is 

provided  by  the  following  inference  rules: 

Definition  1  E  E'  if  it  can  be  shown  by  the  following  inference  rules: 

1.  aE-^E 

o  Ei  — Ei  — ‘Ei 
'  Et+E-^E-,  E+E,—E 3 

s  m*X.ElX)J~E, 

uX.E-^E, 

Charts  generalize  automata  and  are  defined  as  follows: 


Definition  2  A  chart  C  is  a  quadruple  <  Q,  s,  D,  E  >  where: 

Q  is  a  nonempty  set  (the  nodes) 
s  €  Q  (the  initial  state ) 

D  C  Q  X  Act  X  Q  (the  derivations) 
Ex  C  Q  X  Var  (the  extensions) 

C  is  finite  iJQ,  D,  Ex  are  finite. 


With  /i-expression  E  the  chart  (notations  Charl(E))  is  associated  as  follows: 
Nodes:  all  ^-expressions. 

The  initial  node:  E. 
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(£,,  a,  Ei)  6  D  if  Et  E2. 

( E,X )  6  Ex  if  there  is  a  free  occurrence  of  X  in  E.  which  is  not  guarded. 

Let  a  be  an  action  and  s,  s'  be  states  of  chart  C ;  we  shall  write  •«  —  s'  if  (s.  a,  s')  €  -D- 

Charts  are  too  concrete  objects.  Usually  a  behavior  equivalence  ~  is  introduced  on  charts 
and  the  objects  are  ~-equivalences  classes  of  charts.  One  of  the  most  important  equivalences 
studied  in  concurrency  is  bisimulation  equivalence  ~(,M.  Milner  showed 

Fact  2.1  (p- expressions  represent  finite  behaviors ) 

1.  For  every  finite  chart  C  there  exists  an  expression  E  such  that  Chart(E)  C. 

2.  For  every  expression  E  there  exists  a  finite  chart  C  such  that  Chart  l  E)  ~stJ  C. 

Bisimulation  equivalence  is  a  very  discriminating  equivalence  and  most  equivalences  studied 
in  the  literature  are  coarser  than  it.  Clearly,  fact  2.1  holds  when  is  replaced  by  any 
equivalence  which  is  coarser  than  bisimulation.  All  these  justify  the  use  of  an  adjective  ‘finite 
state  behavior’  with  p-expressions. 

3  Trace  Equivalence  and  Trace  Congruence 

In  this  section  we  define  trace  equivalence  on  diarts.  Then,  we  find  a  fully  abstract  refinement 
of  trace  equivalence  wrt  the  operations:  sum,  prefixing,  substitution  and  recursion. 

Definition  3  (Traces  and  generalized  traces.)  Let  C  be  a  chart  and  s0  be  its  initial  state. 

•  A  trace  of  C  is  a  sequence  Oj .  of  actions  such  that  there  exist  nodes  Si . .  .s„  in  C 
and  s,_i  ^i.Si  for  i  =  1 . .  .n. 

•  A  generalized  trace  of  chart  C  is  a  pair  consisting  of  a  sequence  at . .  ,a„  of  action  and 
a  variable  X  such  that  there  exist  nodes  Si . .  ,sn  in  C.  and  s,-_j  -4  s,  for  i  =  1 . .  .n  and 
X  €  Ex(sn). 

Remark:  (1)  The  set  of  traces  of  chart  C  is  a  subset  of  Act‘\  the  set  of  generalized  traces  of  C 
is  a  subset  of  Act ‘  x  Vnr.  (2)  The  set  of  traces  of  C  is  prefix  closed,  i.e..  if  <ii . .  ,an  is  a  trace  of 
C  then  for  every  m  <  n  its  prefix  aj . .  .am  is  a  trace  of  C.  In  particular,  every  chart  contains 
the  empty  trace  t. 

We  say  that  expressions  E  and  E'  are  trace  equivalent  if  their  corresponding  charts  have  the 
same  set  of  traces.  For  an  expression  E,  we  denote  by  trace(  E)  the  set  of  traces  of  the  corre¬ 
sponding  chart. 
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Lemma  3.1  (Operations  on  traces) 

1.  trace(0)  =  {e}  -  the  empty  string. 

S.  trace(X)  =  {«}  -  the  empty  string. 

3.  trace(E  +  E')  =  trace(E)  U  trace(E'). 

4.  trace(aE)  =  {<w  :  s  6  troce(E)}. 

Unfortunately,  trace  equivalence  is  not  a  congruence  wrt  substitution  and  the  p  operator.  For 
example,  0  and  X  have  the  same  traces,  but  0{o0/.V}  and  A'{aO/.V}  have  different  traces.  We 
are  looking  for  the  maximal  equivalence  which  refines  trace  equivalence  and  is  a  congruence  wrt 
prefixing,  sum,  substitution  and  fixed  point.  Such  an  equivalence  is  called  the  fully  abstract 
refinement  of  traces  wrt  the  above  operations. 

Theorem  3.2  (Full  abstractness.)  The  fully  abstract  refinement  of  trace  equivalence  with  re¬ 
spect  to  sum,  prefixing,  substitution  and  recursion  is  characterised  as  follows:  E  and  E'  are 
equivalent  iff  they  have  the  same  set  of  traces  and  the  same  set  of  generalised  traces. 

We  will  use  the  term  ‘trace  congruence’  (notation  ~lrace )  for  this  fully  abstract  equivalence. 

Proof:  The  proof  that  this  equivalence  is  a  congruence  is  quite  straightforward  and  is  omitted. 

To  show  that  it  is  fully  abstract,  assume  that  the  set  of  variables  which  are  free  in  E  and  E‘  is 
a  subset  of  {Xi,. .  .X„}.  Let  ax...an  be  different  actions  which  do  not  appear  in  E,  E'.  Then 
E{aiO/Xi . .  .  a„0/Xn}  and  E'{aiO/Xx .  ..an0/Xn)  are  trace  equivalent  only  if  E  and  E'  have 
the  same  set  of  generalized  traces.  Therefore,  if  E  and  E'  are  related  by  a  congruence  ~  which 
refines  trace  equivalence,  they  have  the  same  set  of  generalized  traces.  Since  ~  refines  trace 
equivalence,  E  and  E'  should  also  have  the  same  set  of  traces. 

To  summarize,  ~trace  is  a  congruence  and  any  congruence  ~  which  refines  trace  equivalence 
should  refine  Therefore,  ~(roc,  is  the  fully  abstract  refinement  of  trace  equivalence.  □ 

Remark:  (1)  Trace  congruence  is  also  the  fully  abstract  refinement  of  trace  equivalence  wrt 
to  the  operation  prefix,  sum  and  recursion.  (2)  If  every  node  of  charts  C.  C'  has  the  empty 
extension,  then  C  and  C'  are  trace  congruent  iff  they  are  trace  equivalent.  In  particular,  trace 
congruence  and  trace  equivalence  coincide  for  /(-expressions  without  free  variables. 

4  Proof  System 

Our  proof  system  for  trace  congruence  in  addition  to  the  standard  equivalence  and  congruence 
inference  rules  has  the  following  axioms  and  fixed  point  inference  rule. 

Axioms 

SI  E+  F=  F+  E 
Sl(E+F)  +  G=  E  +  (F  +  G) 

S3  E  +  E  =  E 


S4  E  +  0  =  E 

Rl  pX.  E  =  (iY.(E{Y/X)U  Y  not  free  in  E 
Rl  nX.  E  =  E{pX.  E/X)) 

R$pX.E  =  pX.  (£  +  .Y) 

PI  aX+aY  =  a(X  +  V) 

Fixed  point  Inference  Rule 

R4  FVom  E  =  F[E/X),  X  guarded  in  F,  infer  E  =  p.Y.  F. 

The  set  of  axioms  S1-S4  is  sound  and  complete  for  bisimulation  equivalence  over  the  recursive 
free  subset  of  p-expressions  [1].  It  is  well  known  that  by  augmenting  this  set  by  Pi  a  sound  and 
complete  system  is  obtained  for  trace  equivalence  over  the  variable  free  subset  of  p-expressions. 
Moreover,  it  is  not  difficult  to  check  that  S1-S4,  PI  are  also  sound  and  complete  for  trace 
congruence  over  the  recursive  free  subset  of  p-expressions. 

The  main  result  of  [2]  is  that  the  set  of  axioms  S1-S4,  Rl-RS  and  fixed  point  inference  rule 
R4  is  a  sound  and  complete  system  for  bisimulation  equivalence.  Our  system  is  obtained  by 
augmenting  this  set  by  Pi;  we  will  show  that  it  is  sound  and  complete  for  trace  congruence. 

Notations:  We  write  h  E  =  E'  if  E  =  E'  is  provable  in  our  system.  We  write  I-*/  E  =  E'  if 
E  =  E'  is  provable  without  using  axiom  Pi.  i.e.  it  is  provable  in  Milner's  system. 

5  Systems  of  Equations 

This  section  contains  some  definitions  which  are  needed  for  the  completeness  proof  given  in  the 
next  section. 

Definition  4  (an  (X;  Y)  system  of  equations)  Lei  X  =  {.X'j,  ....Yn},  Y  =  {l'i,  . . .  Vm }  be 
different  variables  and  F  —  { . . .  Fn }  expressions  with  free  variables  in  X  U  Y .  A  sequence  of 
formal  equations  Sys  :=<  A"j  =  Fj,.  ...Yn  =  Fn  >  is  called  an  (.Y:  Y )  system  of  equations;  X 
are  called  the  bound  variables  of  the  system  and  A'i  is  the  princi)xil  variable  of  the  system. 

Definition  5  (Guarded,  standard  and  deterministic  systems) 

•  An  (X;  Y)  system  is  guarded  if  all  X  variables  are  guarded  in  the  expressions  F,  of  the 
system. 

•  A  system  is  standard  if  all  Fj  are  of  the  form  Y.jel,  ni.jX /(,.,)  +  J2je K, 

•  A  standard  system  is  called  deterministic  if  a,  3  =  a,  y  implies  that  j  =  j'. 

Note  that  standard  and  deterministic  systems  of  equations  are  guarded. 

Definition  6  (Solutions  of  a  system)  Consider  an  {X\  . .  ■  X„ :  Yt _ Ym)  system  Sys  with  equa¬ 

tions  Y,  =  Ft,  for  i  =  1, . .  .n. 
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•  A  sequence  Ei,  £j, . . .  £„  of  expressions  is  a  solution  of  Sys  iff  for  every  » 

Ei  Fi{E\/X\, . .  .En/Xn};  expression  Ei  is  called  a  principal  solution  of  the  system. 

•  Ei,  Ei,...E„  is  an  Af-provable  solution  of  Sys  iff  ("Af  £j  =  Fi{E\/X\, . .  .En/Xn}  for 
every  i;  expression  E\  is  called  a  principal  M-provable  solution  of  the  system. 

•  Ei,  Ei,  ...En  w  a  provable  solution  of  Sys  iff  I-  Ei  =  Fi{E\fX\,. .  ,En/Xn}  for  every  i; 
expression  E\  is  called  a  principal  provable  solution  of  the  system. 


6  Soundness  and  Completeness 

Theorem  6.1  (Soundness)  The  axioms  and  the  inference  rules  are  sound  for  trace  congruence. 

As  usual,  the  proof  of  soundness  theorem  is  simple  and  we  concentrate  here  on  the  complete¬ 
ness  proof.  Our  completeness  proof  is  based  on  Milner’s  completeness  proof  for  bisimulation 
equivalence  [2].  Many  of  our  arguments  are  modificat  ions  of  his  ideas. 

The  following  theorem  was  proved  by  Milner  (theorem  5.7  in  [2]). 

Theorem  6.2  (Unique  M-provable  solution  of  equations.)  Every  guarded  ( X ;  Y)  system  of 
equations  Sys  has  a  unique  M-provable  solution,  i.e .,  Sys  has  an  M-provable  solution  and  if 
both  Et  and  E{  ■  •  •  E'n  are  M  provable  solutions  of  Sys  then  Ku  E,  —  El  for  «  =  1,  •  •  • ,  n. 

In  [2]  it  was  shown  (theorem  5.8) 

Theorem  6.3  (Equaiional  characterization  of  p-expressions.)  Every  p -expression  is  a  princi¬ 
pal  M-provable  solution  of  a  standard  system  of  equations. 

M-provable  equations  are  provable,  t  herefore. 

Corollary  6.4  Every  p-expression  is  a  princi/xil  provable  solution  of  a  standard  system  of 
equations. 

We  strengthen  the  corollary  and  show 

Theorem  6.5  Every  p-expression  is  a  princijuil  provable  solution  of  a  deterministic  system  of 
equations. 

Proof:  The  proof  is  given  in  appendix  A.  O 

Our  proof  of  the  completeness  theorem  uses  the  following 

Claim  6.8  Assume  (1)  E  ~<r««  E'  (2)  E  is  a  provable  principal  solution  of  deterministic 
system  of  equations  Sys  (3)  E'  is  a  provable  principal  solution  of  deterministic  system  of  equa- 
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tions  Sys'.  Then  there  exists  a  guarded  system  Sys"  such  that  both  E  and  E'  are  its  principal 
provable  solutions. 

Proof:  The  proof  is  given  in  appendix  B.  □ 

Theorem  6.7  ( Completeness )  If  E  ~ tract  E'  then  I-  E  =  E'. 

Proof:  Actually,  Milner’s  proof  of  theorem  6.2  also  gives  the  unique  provable  solution  theorem: 
every  guarded  system  of  equations  has  a  unique  provable  solution. 

Now,  by  theorem  6.5  there  exist  deterministic  systems  of  equations  Sys  and  Sys'  such  that  E 
and  E'  are  principal  provable  solutions  of  Sys  and  Sys'  respectively. 

Therefore,  by  claim  6.6,  there  exists  a  guarded  system  of  equations  Sys"  such  that  both  E  and 
E'  are  its  principal  provable  solutions.  Therefore,  by  the  unique  provable  solution  theorem, 
(-£  =  £'.  D 


7  Relationship  to  Salomaa’s  axiomatisation 

In  [4]  Salomaa  presented  a  complete  axiom  system  for  language  equivalence  over  regular  ex¬ 
pressions.  Trace  congruence  is  conceptually  close  to  language  equivalence.  Our  proof  has  the 
same  structure  as  Salomaa’s  (unique  provable  solution  theorem,  equational  characterization 
theorem),  but  in  many  technical  arguments  it  is  closer  to  Milner’s  proof  for  bisimulation  equiv¬ 
alence  and  surprisingly,  we  were  unable  to  adopt  Salontaa's  proof  for  a  complete  axiomatisation 
of  trace  congruence. 

The  main  obstacle  for  extending  Salomaa’s  proof  lies  in  the  fact  that  the  empty  language  is 
present  explicitly  in  his  axiomatisation  and  plays  a  very  important  role  there.  However,  for  trace 
congruence  there  is  no  expression  which  ‘corresponds’  to  the  empty  language.  In  particular, 
unlike  the  language  law  60  =  0  =  o0,  there  exists  no  expression  E  for  which  aE  is  trace 
congruent  to  bE. 

In  the  rest  of  this  section  we  consider  an  interesting  subset  of  regular  expressions.  Adopting 
Salomaa’s  results,  we  provide  an  axiomatisation  of  bisimulation  equivalence  and  an  axiomati¬ 
sation  of  trace  congruence  over  this  subset.  The  proofs  are  omitted  and  will  be  given  in  the  full 
paper. 


7.1  ^-Expressions 

In  remark  5  of  [4]  it  is  explained  how  to  axiomatise  ‘regular  expressions’  without  the  empty 
language. 

More  exactly,  Salomaa  considers  expressions  constructed  from  an  alphabet  by  the  following 
operations:  concatenation,  sum  and  positive  iteration  #  (A*  =  .-1  +  ,4.4  +  AAA  +  ...).  Let 
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us  call  such  expressions  -  /^-expressions.  It  is  claimed  there  that  the  following  proof  system  is 
complete  for  ^-expressions: 

Axioms: 

Al:  Associativity  of  sum. 

A2:  Associativity  of  concatenation. 

A3:  Commutativity  of  sum. 

A4:  A(B  +  C)  =  AB  +  AC. 

A5:  (A  +  B)C  =  AB  +  AC. 

A6:  A  +  A=  A. 

A’10:  A*  =  A  +  AA* 

Inference  rules: 

Rl:  Usual  Congruence  rules. 

R2:  A  =  BA  +  C  implies  .4  =  B*C'  +  C'. 

7.2  Embedding  of  ^-expressions  into  /(-expressions 

Similar  to  Milner’s  [2]  embedding  of  the  standard  regular  expressions  into  /(-expressions  one 
can  embed  #-expressions  into  /(-expressions. 

Let  X  be  a  distinguished  variable.  Define: 

1.  j Em(a)  =  aX  for  every  action  a. 

2.  Em(A  +  B)  =  Em(A)  +  Em(B). 

3.  Em(AB)  =  Em(A){Em(B)/X}. 

4.  Em(A*)  =  ftY.A  +  A{Y/X } 

Remark  1.  In  the  chart  of  Em(A)  the  nodes  may  have  either  an  extension  X  or  the  empty 
extension.  From  every  node,  a  node  with  extension  A'  is  reachable.  The  initial  node  has  the 
empty  extension.  Such  a  chart  can  be  considered  as  an  automaton  whose  accepting  states  are 
the  nodes  with  extension  A'.  The  language  accepted  by  this  automaton  coincides  with  the 
language  defined  by  expression  A. 

Remark  2.  (Axiomatisation  of  trace  congruence  over  ^-expressions.)  This  embedding  is 
adequate  for  trace  congruence,  i.e.,  A  =  B  is  provable  in  Salomaa's  axiomatisation  iff  Em(A)  = 
Em(B)  is  provable  in  our  axiomatisation  of  trace  congruence. 


7.3  Axiomatisation  of  ^-expression  wrt  bisimulation 

Bisimulation  equivalence,  due  to  Milner  and  Park,  is  one  of  the  most  fundamental  equivalences 
that  has  emerged  in  concurrency.  Its  definition  is  omitted  here,  but  let  us  note  that  axiom  A’10 
holds  even  for  bisimulation  equivalence,  i.e.  Em(A *)  is  bisimilar  to  Em(A)  +  Em(A)Em(A*). 


It  is  also  easy  to  see  that  the  axioms  Al,  A 2,  A3,  A5,  A6  and  the  inference  rules  Rl,  R2  are 
valid  for  bisimulation,  but  axiom  A-l  fails. 

We  do  not  know  whether  the  set  Al,  A2,  A3,  A5.  A6.  A10,  Rl,  R2  is  complete  for  bisimulation 
equivalence  over  ^-expressions.  One  can  show  that  there  exists  no  ^-expression  which  solves 
equation  Y  =a,  aY  -)-  b.  We  do  not  know  how  to  characterize  the  systems  of  equations  with 
the  solutions  bisimilar  to  #-expressious. 

However,  we  can  prove  that  a  complete  proof  system  for  bisimulation  equivalence  is  obtained 
when  R2  is  replaced  by  the  following  inference  rule: 

R3:  Every  system  of  equations  of  the  form  1;  =  Y.  H  *>.j  ',as  at  most  one  solution. 

8  Further  Results 

(a)  Axiomatisation  of  trace  approximation  -  straightforward. 

(b)  r  -action.  The  addition  of  axiom  E  =  tE  provides  a  complete  axiomatisation  of  trace 
congruence  with  unobservable  action  r. 

(c)  Divergence.  Trace  congruence  identifies  expressions  0  and  pX.  X .  We  can  introduce  the  no¬ 
tion  of  divergence  and  provide  a  complete  axiomatisation  for  the  refinement  of  trace  congruence 
which  properly  takes  into  account  divergence. 
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Appendix 


The  appendix  contains  two  sections.  In  section  A  theorem  6.5  is  proved:  in  section  B  claim  6.6 
is  proved. 


A  Determinization 


In  this  appendix  we  show  that  every  expression  is  a  principal  provable  solution  of  a  deterministic 
system  of  equations.  This  fact  follows  immediately  from  the  corollary  6.4  and  the  following 

Claim  A.l  If  E\  is  a  principal  provable  solution  of  a  standard  system  of  equations,  then  E\ 
is  a  principal  provable  solution  of  a  deterministic  system  of  equations. 

First,  we  introduce  some  notations  which  are  helpful  in  the  proof  of  the  claim. 

Let  X,  =  Ejgj,  +  E*€a-,  * »(.'.*)  be  an  equation. 

Define 

S(i)  =  {a,j  :  j  €  Ji)  -  successor  actions  of  A',-. 

D(i,a )  =  {r  :  aXr  is  a  summand  of  the  equation }  -  n-derivatives  of  A',-. 

Ex(i)  =  {r  :  Yr  is  a  summand  of  the  equation }  -  extensions  of  A",. 

Extend  point-wise  these  functions  to  the  subsets  of  {1, . .  ./>},  i.e. 

S(Q )  =  UiM5(i), 

D(Q,a)  =  U  ieQD(i,a), 

Ex(Q)  =  U  ieqEz(i). 


Now,  if  Xi  —  +  Tlkeli.Ygti.k)  an  equation  in  our  system,  it  can  be  easily 

shown,  by  the  axioms  for  sum,  that 

ZjeA  =  Eae5(.)(ZreD(.,-.)n-'’-)  +  Er eEz{i)yr- 

Therefore,  every  standard  system  of  equations  is  l-.w  equivalent  to  a  system  with  equations  of 
the  form  A,  =  EoeS(.)(EreD(.,a)a-vr)  +  Er€£r(,)1'r.  From  now  on.  we  will  only  consider  such 
systems. 

Now  we  are  ready  to  start  the  proof  of  claim  A.l. 

Since  E\  is  a  principal  provable  solution  of  a  standard  system  of  equations  there  exist  Eg, . . .  Ep 
and  a  system  of  equations: 


St/3  = 


Xl  =  Ea65(l)(Hr€D(l,<l)  +  HreEl{\)  ^  ' 

Xi  =  5r<,eS-{,)/ZreO('.a)  °Xr)  +  Y.r€Er(.\  '  >- 

Xp  —  Hfl€5(p)(l-r€C>(p.a)  nXr  )  +  Ei-€£.r(p)  ^  r 

such  that  for  every  i 

^E,=  £(  Z  a£r)+  £  Y'  (1) 

o€$(*)  r^D[i,a)  r€£x(») 

We  are  going  to  define  a  deterministic  system  of  equations  Sys‘  and  to  show  that  E\  is  its 
principal  solution.  The  bound  variables  of  Sys‘  are  indexed  by  the  subsets  of  {l,...p};  A’j  is 
its  principal  variable.  For  a  set  Q  C  {1, . .  .p}  the  equation  for  Xq  is: 


X()  -  HaeStlQ)aXDlQ.a)  +  EreErfOl^r 


It  is  clear  that  this  is  a  deterministic  system. 

Define  Eq  —  22ieQ  Ef  c^a'm  that  r  Eq  =  JTg e>fQ s  °Xo(Q.a)  +  ZTrgEVfcj)  3v* 
Note  that 

b  Eq ,  +  £q2  =  Eq,uQ, 

Recall  that  by  the  assumption  of  the  claim 

*-£<=  £  (  Z  “Er)  +  Z  *’r 

a€$(0  r&D(i.a )  r€£Ta*(») 

Therefore,  adding  the  equations  for  i  6  Q 

h  ££'  =  £(£(  Z  «£r)+  Z  Vr) 

*€Q  *€Q  a€5(«)  r£D{i.a)  r&Ej;{i) 


(2) 


(3) 


(4) 


The  left-hand  side  is  Eq  by  the  definition  of  Eq.  The  right-hand  side  can  be  rearranged,  by 
the  axioms  for  +,  and  gives 


•"  eq  =  Z  (  Z  «£>•)  +  Z  Yr 

o€U,gg5(0  r€U,€(jD(i.o)  r€u«€<?^r(» ) 


(5) 


By  the  idempotence  of  +,  and  the  fact  that  5,  D.  Ex  are  extended  point-wise  to  sets  we  obtain: 

^£Q=  £  <  £  "Er)+  Y,  yr  (6) 

°€S(<?)  r€D(Q.o)  rgEx(Q) 

Now  applying  the  prefix  axiom,  a.Y  +  aY  =  n(.Y  +  V).  we  derive 


Eq  =  Z  n  Z  £r  +  Z  Y, 

a€S(<2)  r€D(Q.a)  »’€£.r(Q) 


(7) 


By  the  definition,  ED{Q  a)  =  £,€D(Q  o)  £,,  therefore 
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h  EQ  -  H  aED{Q.a)  +  ^2  Yr  (8) 

°6S(<3)  r€Ex(Q) 

Hence,  the  equations  obtained  by  substitution  of  Eq  for  A'g  in  the  equations  of  Sys'  are 
provable.  In  particular,  £]  is  a  principal  provable  solution  of  Sys'. 

B  Proof  of  Claim  6.6 

In  this  section  we  prove  claim  6.6.  We  recall  claim  6.6. 

Claim  B.l  Assume  (1)  E\  ~ira«  £|  (2)  Ex  is  a  provable  principal  solution  of  deterministic 
system  of  equations  Sys  (3)  El  is  a  provable  principal  solution  of  deterministic  system  of 
equations  Sys'.  Then  there  exists  a  guarded  system  Sys"  such  that  both  £,  and  E\  are  its 
principal  provable  solutions. 

The  proof  is  based  on 

Lemma  B.2  Assume  that  (1)  E  ~(roce  G  (2)  E  ~(ro„  £„=,«,£,  +  £t€A-  Yk  and  (3)  G  ~lract 
bjGj  +  YlmeM  ,  where  n,  are  diffeient  actions  and  b}  are  different  actions.  Then 
(°)  {Yk  '■  h  €  A'}  -  {Zm  :  m  €  M):  (b)  j/|  =  |J|  and  there  exists  a  one-one  function 
h  :  I  — ►  J  such  that  a;  =  bh(j)  and  £,  ~tTace  Gh(l).  (c)  G  ~iroc<  53, 6;  n<Gh\,)  +  Ylkeh'  Yk  and 

^  bjGj  +  /  Zm  =  53.€/  o, £>'/,(,)  +  Hte/V-  v, . 

Proof:  The  initial  node  s0  of  the  chart  for  £,€,  «<E,  +  ZkeK  Yk  has  the  extension  {%  :  k  e 
A'}  and  its  set  of  successor  actions  is  {«,  :  i  e  /}.  The  initial  node  s'0  of  the  chart  for 
52jejbjGj  +  YlmeAf  Zk  has  the  extension  {Z„,  :  m  g  .17}  and  its  set  of  successor  actions  is 
{bj  :  j  e  J}.  In  equal  charts  the  initial  nodes  have  the  same  extension  and  the  same  set  of 
successor  actions,  therefore  {)*  :  k  €  A  )  =  {Z„,  :  m  e  .17}  and  {a,  :  i  6  7}  =  {6,  :  j  6  J}. 
Moreover,  since  all  «,  are  different  and  all  b,  are  different  the  relation  R(i.  j)  =rfc/  a,  =  b,  is 
a  graph  of  a  one-one  function  h  between  sets  7  and  •/.  In  particular,  using  associativity  and 
commutativity  of  +,  the  equation  for  G  can  be  rewritten  into  G  ^irac<  Y.,et  «/<-•'/,(, )  +  53m£j\/ 

and  H  YljejbjGj  +  53m€M  =  53ig/  n,G'h{, )  +  53i€/v  Yk- 

In  the  case  when  all  actions  a,'  are  different,  it  can  be  easily  shown  that  ( a , s .  .V )  is  a  generalized 
trace  of  53>6/ ai£i  +  53igA'  Yk  iff  (s,  A  )  is  a  generalized  trace  of  £,.  Similarly,  (a, -a,  A")  is  a 
generalized  trace  of  53i€/ “><?/.(■)  +  53fce/v'  Yk  iff  (s,A")  is  a  generalized  trace  of  Gh^y  Since 
53,g/  a,E,  +  53tgA'  Yk  and  53i£/  a,Gh,  +  Ylk^h'Yk  have  the  same  set  of  generalized  traces,  it 
follows  that  £;  and  Gk(i)  have  the  same  set  of  generalized  traces.  Similar  arguments  show  that 
E{  and  Gk(i)  have  the  same  set  of  traces.  Hence  £,  ~(roct  G'jq,).  q 

Now  we  proceed  with  the  proof  of  claim  B.l.  Let  £,, . . . Ep  be  a  provable  solution  of  a  deter¬ 
ministic  system  of  equations: 


h  Ei  ~  a<-iEt (..j)  b  ]T  Ts(, j)  i  =  1, . .  .p. 


(9) 
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Let  E[,. . .  E'm  be  a  provable  solution  of  deterministic  system  of  equations: 


I-  E\, 


E  b^EW, » 

iej;, 


+  E  K'w  j)  '' 

j€a;, 


1, . . .  m. 


(10) 


All  provable  equations  are  valid,  therefore  in  the  above  equations  =  can  be  replaced  by 
Define  set  R  =  {(•,»')  :  Ei  ~ira«  R  is  not  empty,  because  (1,1)6  R- 


For  («,*')  6  R,  all  the  assumptions  of  lemma  B.2  hold,  therefore  there  exists  a  one-one  function 
:  J,  —  J','  such  that  ax  l  =  and  E,{ij)  ~,roct  E‘j.^.  h  ,(j)). 

Consider  the  following  system  of  equations  with  bound  variables  indexed  by  the  elements 
of  R.  The  equation  for  is: 


—  E  ti.  .■  < j ) >  E  (H( 

j€4,  j€A, 

Note  that  all  bound  variables  in  this  system  are  indexed  by  elements  of  R.  Indeed  Ej (,j)  ~(roce 
<(»)  0y  the  conclusion  (c)  of  lemma  B.2.  Therefore,  the  pair  (/(».  j),  /'(*',  h.yO)))  is 

in  72. 


Define  a  sequence  of  expressions  indexed  by  elements  of  /?:  =  E,.  We  claim  that  when 

Eiy  are  substituted  for  in  Sys",  then  the  resulting  equations  are  provable.  Indeed,  after 
substitution,  equations  (i, »')  become 

=  E  K .,-(.>))  +  E  (12) 

j€*A  j€K, 

and  by  the  definition  of  it  is  equivalent  to 

Ei  =  E  a'  )E/{i.j)  +  E  5  (13) 

which  by  our  assumption  is  provable.  Therefore  (12)  is  also  provable. 

Now  define  another  sequence  of  expressions  indexed  by  elements  of  R:  EE,  =  E[,.  Again  we 
claim  that  when  EE,  are  substituted  for  A',y  in  S ys"  then  the  resulting  equations  are  provable. 
Indeed,  after  substitution,  the  equations  for  become 


Ei,i<  —  E  ai'jEj{i.j),f'(i'.h",(j))  +  E  ^s('d) 

j eJ.  jeA'.i 

and  by  the  definition  of  E't  j#  it  is  provable  iff 

^  E,,  =  E  a'-jEj'{,'.h'  ,,(j))  +  E 


(14) 


(15) 


ieJ.- 


leA. 


By  (c)  of  the  lemma  h  bjE/v.-ji+LjeK,.  K'U-j)  =  aiJ£/'(i-.h,yU»  +  LjeK.  rg«J) 

therefore  (14)  is  provable  iff  the  following  is  provable: 


hE',=  E  +  E  K f'=l,...m. 

leJ',  je/y;, 


(16) 
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However,  this  is  provable  by  our  assumption  (see  equation  (10)  above).  Hence,  both  and 
E\.\  are  principal  provable  solutions  of  Sys".  But.  bv  the  definition  E,.,  =  £,  and  E[ ,  = 
Therefore  £,  and  E[  are  principal  provable  solutions  of  Sys". 

Finally,  note  that  Sys"  is  a  guarded  system  and  its  size  is  polynomial  in  the  sizes  of  Sys  and 
Sys'. 


THE  ASYMMETRIC  TOPOLOGY 
OF  COMPUTER  SCIENCE 

R.  C.  Flagg,  Mathematics 
U.  of  Southern  Maine,  Portland,  ME  04103 

R.  D.  Kopperman,  Mathematics 
City  Coll,  of  New  York,  New  York,  NY  10031 

1.  Continuity  Spaces  and  Asymmetric  Topology 

Computer  science  tends  to  need  analysis  of  “topological”  situations  in  which  orderings 
and  generalized  metrics,  both  symmetric  and  asymmetric,  play  a  role.  Many  of  its  natural 
topologies  are  not  T\  (for  definition  see  a  text,  such  as  [Ke]),  for  example: 
the  lower  and  Scott  topologies  on  a  continuous  lattice  and 
the  topology  of  digital  n-space. 

In  fact,  these  spaces  fail  to  satisfy  the  weak  symmetry  axiom: 

i  €cl{y}  =>  y  €cl{x}. 

Here,  as  often  in  mathematics,  the  lack  of  symmetry  leads  to  a  straightforward  duality. 
Some  examples  elsewhere  in  mathematics  include: 

For  noncommutative  rings  and  algebras,  define  R’  =  (/?,+,  o),  where  aob  =  ba,  (the 
same  works  for  monoids  and  categories), 
for  partial  orders  P*  =  (P,  <_1), 
for  quasimetrics,  d'(x,  y)  =  d(y,x), 
for  quasiuniformities,  Q *  =  {Q~l  \  Q  €  Q}- 

The  case  of  distances  came  to  our  attention  because  every  topology  is  in  a  natural  sense 
a  generalized  metric  topology.  Our  generalized  metric  spaces,  c tilled  continuity  spaces,  are 
given  a  leisurely,  elementary  discussion  in  jKp).  For  our  use,  the  following  will  suffice: 

1.  Definition.  M  =  ( X,d,A,P )  is  a  continuity  space  if  .Y  is  any  set,  A  a  value  semigroup 
(a  generalization  of  [0,  oo],  defined  in  [I\p]),  P  a  set  of  positives  on  A  (generalizing  (0,  oo]  C 
[0,  oo]),  and  d  :  X  x  X  — *  A  satisfies: 

(ml)  d(x,x)  =  0, 

(m2)  d(x,  z)  <  d(x,  y)  +  d(y,  z). 

The  dual  of  d  is  dm,  defined  by  dm(x,y)  =  d(y,  x);  that  of  M  is  M*  —  (X ,  d*,  A,  P).  The 
symmetrization  of  d  is  ds  =  d  V  d*;  that  of  M  is  M s  =  (.Y,  ds,A,  P). 

The  closed  ball  of  radius  a  is  NL  r)  =  {y  |  d(x,y)  <  a},  the  topology  induced  by  M  is 
Tm  =  {T  |  x  €  T  =>  (3r  €  P){Nr(x)  C  T)}. 

A  continuity  space  is  Co  if  d(x,y)  +  d(y ,  x)  =  0  =>  x  =  y;  it  is  cj  if  d(x,y)  =  0  =>  x  =  y, 
and  it  is  symmetric  if  for  each  x,y,  d(x,y)  =  d(y,x)  (equivalently,  if  d  =  d*).  Finally,  a 
continuity  space  is  Boolean  if  for  each  a  €  A,  a  —  a  +  a. 

The  precise  result  is: 

2.  Theorem.  [Kp]:  Each  continuity  space  yields  a  topology,  and  every  topology  arises 
from  some  continuity  space. 

This  result  was  improved  in  [FI],  where  it  was  shown  that  it  suffices  to  consider  certain 
special  value  semigroups  called  value  quantales.  Since  the  latter  are  cocontinuous  lattices, 
they  are  complete  and  allow  a  straightforward  completion  theory  for  their  continuity  spaces; 
for  these,  the  positives  can  be  defined  as  the  elements  way  above  0.  We  use  only  these 
restricted  continuity  spaces  in  section  2,  when  completeness  becomes  an  issue,  and  for  a 
fixed  such  value  quantale  V ,  denote  M  =  (.Y,  d\ )  (since  V,  P  are  fixed). 
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Of  course,  by  the  notation  introduced  in  1,  Tm .  denotes  the  topology  induced  by  the 
dual  of  M,  and  Tm*  that  arising  from  the  symmetrization.  We  call  them  the  dual  and 
symmetrization  topologies,  and  below  we  use  the  simple- to-establish  equation:  Tms  — 
Tm  V Tm •• 

Certainly,  a  metric  space  is  a  symmetric  co  continuity  space  in  which  .4  =  [0,  oo],  P  = 
(0,  oo]  and  d(x,y)  is  never  oo.  For  such,  the  induced  topology  is  routinely  seen  to  be  a  the 
usual  metric  topology. 

The  co  assumption  is  equivalent  to  the  requirement  that  the  induced  topology  be  To. 
Another  equivalent  condition  is  that  the  symmetrization  topology  is  Hausdorff,  and  thus 
that  symmetrically  convergent  nets  (or  filters)  have  unique  limits.  These  are  desirable 
properties,  and  in  section  2  many  of  our  continuity  spaces  will  be  co-  The  cj  assumption 
is  equivalent  to  the  requirement  that  the  induced  topology  be  T\ .  This  requirement  is  not 
satisfied  by  many  spaces  that  interest  us  below,  thus  is  not  made. 

For  two  reasons,  a  consideration  of  bitopological  spaces  is  needed  for  an  understanding 
of  topological  duality  which  provides  a  context  for  the  above,  and  on  which  we  base  our 
approach  (see  [Ko],  or,  for  alternate  viewpoints,  see  [Lw],  [Sm]): 

(a)  Bitopological  spaces  have  an  obvious  duality:  (A ",  T,  T')*  =  (AT,  T*,T).  Further, 
there  is  a  natural  identification  of  a  topological  space  (A,  T)  with  the  self-dual  bitopological 
space  (A,  T ,  T).  This  self-duality  means  that  many  bitopological  theorems  involving  this 
duality  look  like  topological  theorems. 

(b)  Any  dual,  T*,  of  a  topology,  T,  on  the  same  set,  X,  must  be  recognized  by  its 
relationship  with  the  original,  and  this  relationship  can  certainly'  be  stated  as  a  property 
of  a  bitopological  space. 

Many  useful  such  relationships  “look  like”  separation  axioms,  or  are  related  to  com¬ 
pactness.  Indeed,  for  each  usual  topological  separation  axiom  T;  (see  [Ke])  there  is  a 
duality-motivated  bitopological  separation  axiom  (see  [Ko)  or  [Ky]). 

For  these,  as  usual:  T;  =>  T,  if  j  <  i. 

Further,  a  topological  space  (A,T)  satisfies  T,  iff  (A,  T,T)  does. 

In  addition,  there  is  a  compactness- related  axiom  in  whose  presence  some  of  these 
implications  are  reversed  (see  [Ko]): 

3.  Definition.  A  bitopological  space  X  =  (A,T,T*)  is: 

stable  if  each  proper  ‘-closed  set  is  quasicompact, 

quasicompact  if  so  with  respect  to  T, 

joincompact  if  X,Xm  are  both  quasicompact,  stable  and  Tj. 

A  topological  space  (A,  T)  is  acompact  (short  for  asymmetrically  compact  Hausdorff ) 
if  for  some  topology  T*  on  A,  (X,T,Tm)  is  joincompact  (this  T*  is  unique). 

4.  Fact,  (a)  The  lower  and  the  Scott  topology  on  a  continuous  lattice,  are  acompact, 
and  the  dual  of  each  is  the  other.  (Some  of  this  can  be  found  in  [G&1:  the  rest  in  [Kol  and 

[H&].) 

(b)  If  A  is  joincompact,  then  (A,T  V  T*)  is  a  compact  Hausdorff  space.  (That  the 
Lawson  topology  is  compact  T j  is  a  special  case  of  (a).) 

(c)  A  topology  is  compact  Tj  «• 

it  is  acompact  and  Tj  & 

it  is  acompact,  To  and  self-dual  (T*  =  T). 

(d)  For  a  To  bitopological  space  X: 

both  X  and  X *  are  Tj.* 

there  is  a  continuity  space  M  for  which  T  is  TM ,  and  T*  =  TM~- 
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Remark:  Each  joincompact  space  is  7j.s,  thus  a  continuity  space  exists  as  in  (d). 
Lawson,  in  [La]  asserted  that  for  each  continuous  lattice  L,  there  is  a  continuity  space  M 
valued  in  that  lattice  (that  is,  A  =  L),  for  which  the  lower  topology  is  Tm  and  the  Scott 
topology  is  Tm- ■ 

Such  a  continuity  space  is  Boolean.  As  a  result,  its  symmetrization  topology  must  be 
O-dimensional  (its  N?(x)  are  simultaneously  closed  and  open  by  [Kp],  proposition  10). 

But  in  this  case,  Tm *  =  Tm  V  Tm -  must  be  the  Lawson  topology,  which  is  often  not 
0-dimensional  (eg.,  on  the  unit  interval),  a  contradiction.  In  [FI<]  we  show  that  the  Lawson 
assertion  (and  his  proof)  holds  for  algebraic  cpo’s,  and  give  a  related  characterization  for 
all  continuous  cpo’s. 

2.  Examples  of  Categories  of  Domains 

In  the  remainder  of  this  paper  we  investigate  how  continuity  spaces  can  be  used 
to  construct  ‘convenient  categories  for  denotational  semantics’.  By  exploiting  the  possible 
asymmetry  of  the  distance  function  on  a  continuity  space,  we  are  able  to  include  important 
aspects  of  both  the  metric  space  and  cpo  approaches  to  denotational  semantics.  Moreover, 
we  provide  new  examples  which  may  be  suitable  for  modelling  language  constructs  that 
occur  in  concurrent  and  probabilistic  programming.  There  are  a  number  of  important 
issues  still  to  be  resolved  before  the  theory  presented  here  can  be  considered  satisfactory. 

By  a  net  in  X  we  understand  a  family  of  elements  (xa)aca  of  X  indexed  by  a  directed 
set  (A,  <).  A  net  (xa)a€A  is  Cauchy  if  for  every  e  >>  0  there  exists  a  A0  such  that  for  all 
p,  i/  >  A0,  t  >  d(xp,x„).  X  is  complete  if  every  Cauchy  net  has  a  limit  in  the  symmetric 
topology  on  XS1 * 

For  Cauchy  nets  (xa)a€A,  (va)a€A,  we  need  the  equation: 

ds(limxA,lim  y\)  =  limds(x\,yx). 

The  right-hand  side  requires  the  existence  of  well-behaved  limits  in  the  value  semigroup, 
so  henceforth  we  restrict  ourselves  to  a  class  of  value  semigroups  introduced  in  [FI]. 

5.  Definition.  A  value  quantalc  <  V,  <,+  >  is  a  complete  distributive  lattice  <  V,  <> 
together  with  a  binary  operation  +  such  that  the  following  conditions  are  satisfied: 

(vql)  <  V,  -f,0  >  is  a  commutative  monoid; 

(vq2)  for  all  p  €  V  and  all  S  C  V,  p+/\S  =  A,€S  Cp  +  s)i 

(vq3)  for  all  p  €  V,  p  =  /\  {5  €  V  |  g  >'  p  }. 

In  (vq3)  we  have  written  q  »  p  to  indicate  that  q  is  way  above  p;  that  is,  for  any 
subset  IV  C  V,  if  p  >  A  W,  then  for  some  finite  F  C  IV,  q  >  /\F.  Thus  (vq3)  is  equivalent 
to  the  requirement  that  Vop  be  a  continuous  lattice. 

Now  let  <  V,  <,  +  >  be  a  value  quantale.  By  a  V-continuity  space,  (X,  d\  )  we  mean  a 
continuity  space  (X,  d\,A,  P)  for  which  A  =  V  and  P  =  V+  =  {p  6  V  \  p  »  0}.  A  value 
quantale  V  can  itself  be  regarded  as  a  complete  V-continuity  space,  with  dv(x,  y)  =  x  —  y, 
where  x  —  y  =  A{2  I  x  <  y  +  z}  (see  [FI]).  (Notice  that  by  this  definition,  —  left  adjoint 

to  +:  that  is,  a  —  c  <  b  &  a  <  b  +  c.)  We  call  X  a  V-domain  if  X  =  (X,  dx)  is  a  complete, 

Co  V-continuity  space. 

Each  V-continuity  space  A'  has  a  completion;  that  is,  there  is  a  V-domain  X~  and  an 
isometric  map  i :  X  — *  A"  with  the  following  universal  property:  for  any  V-domain  Y  and 


(I)  For  each  «  »  0,  let  D(  =  {<  x,y  >€  X  x  X  |  e  »  ds(x,  y)  }.  The  family  {£>f},»0 
is  a  base  for  a  uniformity,  V5,  on  X  and  the  uniform  topology  generated  by  Vs  is  the 
symmetric  topology  on  X.  X  is  complete  in  the  sense  just  described  iff  the  uniform  space 
(A,  Vs)  is  complete. 
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any  nonexpansive  mapping  f  :  X  —*  Y  there  is  a  unique  nonexpansive  map  f~  :  X~  — *  Y 
such  that  /  =  /~oi.  Notice  that  i  is  one-one  iff  .Y  is  Co;  in  general,  i(x)  =  t(y)  «=> 
d(x,  y)  +  d(y,x)  =  0.  X~  has  a  number  of  additional  properties  that  we  will  need  below. 

(11)  for  every  a  €  -Y~,  there  is  a  Cauchy  net  (r«),»o  in  -Y  such  that  a  —  lim,  i(x«). 

(12)  For  a,0  6  X~,  if  a  =  lim,  t(x<)  and  S  =  lim,  <(y«),  then  (d(x,,y,)),  is  a  Cauchy 
net  in  V  and  d^(a,0)  =  lim,  d(x,,y,). 

Let  K-Dm  denote  the  category  with  objects  the  l7- domains  and  morphisms  the  non¬ 
expansive  maps  between  such. 

SOME  EXAMPLES 

Scott  Domains.  In  the  classical  approach  to  domain  theory,  introduced  by  Scott  and 
Strachey  [SSt],  a  domain  is  a  certain  type  of  complete  partially  ordered  set  (cpo).  We 
illustrate  how  this  approach  can  be  included  in  our  general  theory  by  considering  two 
examples:  algebraic  cpo’s  and  continuous  cpo’s. 

Let  K  be  a  set.  Then  the  power  set  of  A',  V(I\),  is  a  value  quantale  with  +  =  U.  We 
make  a  cpo  A  into  a  ,P(  A)-continuity  space  Ap  =  (A,  dp),  where  K  is  the  set  of  compact 
elements  of  A,  by  defining  dp(x,y)  =  (i  (x)  H  A')  \  (i  (y)  n  A'),  for  x,y  €  A. 

6.  Theorem.  ([FK])  Assume  A  is  an  algebraic  cpo.  Then  Ap  is  co,  the  induced  topology 
on  Ap  is  the  Scott  topology  on  A,  the  dual  topology  on  Ap  is  the  lower  topology  on  A, 
and  the  symmetric  topology  on  Ap  is  the  Lawson  topology  on  A. 

Notice  that  V{K)+  =  {r  |  r  is  a  cofinite  subset  of  A").  As  a  result,  the  continuity 
space  Ap  is  totally  bounded ;  that  is,  for  all  e  >>  0  there  is  a  finite  subset  {a] , a2, . . .  ,a„) 
of  A  such  that  A  =  N’(ai)  U  N‘(a 2)  U  ...  U  N‘(a„).  Thus  Ap  is  an  P(  A')- domain  iff 
the  Lawson  topology  on  A  is  compact.  This  condition  is  equivalent  to  the  requirement 
that  A  be  a  ‘2/3-SFP’  domain  (see  [PI]).  This  is  the  case  if  A  is  bounded  complete.  In 
particular,  for  a  Scott  domain  (i.e.,  an  w-algebraic,  bounded  complete  cpo)  A,  Ap  is  an 
■P(A)-domsin. 

Note  that  a  Scott  continuous  map  /  :  A  — »  A  need  not  be  nonexpansive  from  Ap  to 
Ap.  It  is  an  open  problem  to  provide  a  construction  from  Scott  domains  to  continuity 
spaces  which  will  send  a  wide  class  of  continuous  maps  to  nonexpansive  ones. 

Continuous  Cvo’s.  For  a  general  continuous  cpo,  where  the  Lawson  topology  may  not  be 
zero-dimensional,  we  give  a  “fuzzy”  version  of  the  above  construction;  that  is,  we  replace 
the  two  point  set  {0, 1}  by  the  us  -rval. 

A  character  on  a  CPO  A  is  on  fc  :  A  — *  [0, 1]  which  preserves  directed  suprema 

and  has  a  left-adjoint.  This  is  a  1.  u  generalization  of  compact  element,  since  k  €  A  is 
compact  iff  the  characteristic  function  •  A  — *  {0, 1}  preserves  directed  suprema  and 
has  a  left-adjoint. 

Assume  A  is  a  cpo  and  let  K  be  the  set  of  characters  on  A.  [0, 1]^  is  a  value  quantale 
with  the  componentwise  ordering  and  operation  of  addition.  Define  d?  :  A  x  A  -*  [0, 1]K  by 
Sj{x,y)(k)  =  k(x)  —  k(y),  for  x,  y  €  A,  fc  €  I\.  Then  Ai  =  (A,dj)  is  a  [0,1]* -continuity 
space. 

7.  Theorem.  ([FK])  Assume  A  is  a  continuous  cpo.  Then  Aj  is  co,  the  induced  topology 
on  A%  is  the  Scott  topology  on  A,  the  dual  topology  on  Aj  is  the  lower  topology  on  A, 
and  the  symmetric  topology  on  Ax  is  the  Lawson  topology  on  A. 

Again,  the  continuity  space  Ax  is  totally  bounded  and  so  is  an  X(A')-domain  iff  the 
Lawson  topology  on  A  is  compact.  This  condition  is  equivalent  to  the  requirement  that 
A  be  supersober  (cf.,  [G&]  p.  310).  Thus  if  A  is  bounded  complete,  then  Ax  is  an  I{K)- 
domain. 


Metric  Svaccs.  In  much  of  the  work  concerned  with  modelling  concurrent  processes,  com¬ 
plete  metric  spaces  ([dZ],  [AR])  have  proved  to  be  a  useful  tool.  This  example  is  easily 
captured  in  the  present  framework.  Let  72  be  the  extended  nonnegative  reals  [0,  ooj  with 
the  usual  ordering  and  the  standard  operation  of  addition.  Then  72  is  a  value  quantale, 
which  we  call  the  value  quantale  of  distance s.  A  symmetric  72-domain  is  a  complete  metric 
space.  The  induced  topology  on  a  symmetric  72-domain  is,  of  course,  the  usual  metric 
topology. 

Probabilistic  Domains.  Neither  domains  of  cpo’s  nor  complete  metric  spaces  seem  adequate 
to  model,  in  a  natural  way,  languages  which  involve  probabilistic  constructs.  We  consider 
in  this  example  a  value  quantale  whose  corresponding  notion  of  semantic  domain  may  be 
more  adequate  for  this  purpose. 

Let  M  be  the  set  of  monotone  maps  from  [0,  oo)  to  [0,1],  ordered  pointwise.  We 
call  F  €  M  a.  distance  distribution  function  (d.d.f.)  iff  F  is  left- continuous:  for  all  x  6 
[0,  oo),  supr<x  F(y)  =  F(x).  Let  A  be  the  collection  of  all  d.d.f.’s  with  the  opposite  of  the 
pointwise  ordering.  Since  the  sup  of  d.d.f's  is  still  a  d.d.f.,  A  is  a  complete  lattice.  The 
operation  4-  :  A  x  A  — *  A,  defined  by  (F  +  G)(x)  =  supy+„=I  min  {F(ti),G(u)},  makes 
A  a  value  quantale.  A  symmetric  A-domain  is  a  complete  probabilistic  quasimetric  space 
[SSk].  Moreover  the  induced  topology  on  a  symmetric  A-domain  A*  is  the  strong  topology 
on  X. 

3.  Closure  of  Categories  of  Domains  under  Elementary  Operations 

The  category  V-Dm  is  closed  under  a  number  of  basic  operations,  which  are  needed 
to  build  up  complex  data  types  from  primitive  ones. 

Products.  There  are  two  natural  notions  of  the  product  of  two  V-continuity  spaces  A  = 
( A,d )  and  B  =  ( B,d ):  the  Cartesian  product,  A  x  B  =  (.4  x  B,dx),  where 

dx(<  *i,y i  >,<x2,y2  >)  =  d(xux2)  V  d(ylty2), 

and  the  tensor  product,  A®  B  —  (A  ®  B,  d@),  where  ,4  ®  B  =  .4  x  B  and 

<*»(<  Zi.yi  >,<  *2,y2  >)  =  d(xi,xt)  +  d(yi,y2). 

Ay.  B  has  the  familiar  universal  property  of  the  Cartesian  product.  A  ®  B  also  satisfies 
a  natural  universal  property.  Call  a  map  /  :  A  x  B  —*  C  separately  nonexpansive  if  for 
each  a  €  A,  the  function  b  — >  /(a,  6)  is  nonexpansive  from  B  to  C  and  for  each  b  £  B, 
the  function  a  — ►  /(a,  b )  is  nonexpansive  from  A  to  C.  The  indentity  map  I  :  A  x  B  — » 
A  ®  B  is  clearly  separately  nonexpansive.  Moreover  for  an}r  separately  nonexpansive  map 
f  :  Ay  B  —*  C  there  is  a  unique  nonexpansive  map  f  :  A®  B  —*  C  (namely,  /  itself)  such 
that  f  =  f  o  I.  If  V  is  Boolean,  then  these  two  notions  of  product  are  identical. 

It  should  be  noted  here  for  use  in  the  power  domain  discussion  later,  that  +,  V,  A  : 
(V,dv)  ®  (V, dy)  — »  (V, dv)  and  —  :  (V,dy)  ®  (V.dy)  — *  (V,dy)  are  all  nonexpansive 
functions.  The  required  inequalities  can  be  shown  in  a  straightforward  manner  using  the 
adjointness  which  holds  between  —  and  +. 

Covroducts.  For  V-continuity  spaces  A  =  (.4,  d)  and  B  =  (B,  d),  their  coproduct  is  A(&B  = 
(AilB,d$),  where  AUB  is  disjoint  union  and  for  x,  y  £  AuB, 

f  dA(x,y)  if  x,  y  €  A 
d®(x,  y)  =  <  dB(T,y)  if  x.y  e  B 
t  oo  otherwise. 

Function  Svaces.  The  function  space  [A  — *  B]  consists  of  all  nonexpansive  maps  from  A 
to  B,  where  for  f,g  €  [A  -*  B ],  d[A~B](f.g)  =  \/{<ffl(/(x),y(x))  |  x  €  A}.  For  each 
V-domain  A,  the  functor  A  ®  —  is  left-adjoint  to  [A  — *  —  ].  Thus,  if  V  is  Boolean,  then 
V-Dm  is  Cartesian  closed,  in  general,  V-Dm  is  a  symmetric  monoidal  closed  category. 
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Power  Domain a.  To  model  nondeterminism,  in  addition  to  the  above  domain  constructors, 
we  also  need  a  form  of  power  domain.  The  standard  constructions  of  the  lower,  upper,  and 
convex  power  domains  can  easily  be  adapted  to  the  continuity  space  setting. 

For  a  V-continuity  space  ( A,d ),  let  P'j(A)  denote  the  set  of  finite  nonempty  subsets 
of  A  and  define  the  three  functions  du ,  dc,  dc  :  Pj(A)  x  Pj(A)  — *  V  by 

du(V,V)=  \/  /\  d(u,v), 
t»€i/  wet/ 

dc(U,V)  =  V  A  d(u-v)'  and 

dc(U,  V)  =  du(U ,  V)  V  dc(U,  V’). 

It  is  easy  to  show  that  (P’f(A),du),  (Pj(A),dc),  and  (P/(A),dc)  are  V-continuity  spaces 
(although  they  are  not  necessarily  Co).  The  upper  power  space,  Au ,  is  the  completion  of 
(Pj(A),du),  the  lower  power  apace ,  Ac,  is  the  completion  of  (Pj(A),dc),  and  the  convex 
power  apace,  Ac,  is  the  completion  of  (P'f(A),dc).  We  consider  the  universal  property  of 
the  convex  power  space  in  detail  and  indicate  briefly  how  to  modify  the  discussion  for  the 
other  two  cases. 

8.  Lemma.  The  union  operation  U  :  P'f(A)  x  P'f{A)  ->  P'f(A)  is  nonexpansive  (with 
respect  to  du,dc,  or  dc). 

9.  Definition.  A  convex  V -algebra  is  a  V-domain  E  together  with  a  nonexpansive  binary 
operation  *  :  E  x  E  — *  E  which  is 

(1)  associative:  (x  *  y)  *  z  =  x  *  (y  *  z); 

(2)  commutative:  x  *  y  =  y  *  x\  and 

(3)  idempotent:  x  *  x  =  x. 

A  homomorphism  from  the  convex  V-algebra  E\  to  the  convex  V -algebra  Ei  is  a  nonex¬ 
pansive  map  h  :  Ei  —*  Ei  such  that  for  all  x,y  €  -Ei,  h(x  *y)  —  h(x)  *  h(y). 

Let  tc  :  P'f(A)  -*  Ac  be  the  canonical  isometric  mapping  from  V'j(A)  to  Ac.  For 
a,0  €  Ac  choose  (U,)t  and  (V<),  Cauchy  nets  in  P)(A)  such  that 

a  =  lim  icU,  and  0  =  lim  tc  V,. 

€  € 

It  follows  at  once  from  Lemma  8  that  (U<  U  V,),  is  also  a  Cauchy  net.  Let 

aVc  0  =  lim  ic(U,  U  V,). 

€ 

a  Uc  0  is  well-defined  by  Lemma  8  and  c©. 

10.  Lemma.  (AC,UC)  is  a  convex  V-algebra.  Moreover,  for  all  U,  V  6  P'f(A), 

ic(U  U  V)  =  ic(U)  Uc  ic(V). 


PROOF. 

Let  a, a', 0,0'  6  Ac .  Choose  (If,),,  (U't)t,  (V,)„  (V,')«  Cauchy  nets  in  P'f(A)  so  that 
a  =  lim,  icUt,  o'  =  lim,  icU'{,  0  =  lim,  ccV„  and  0'  =  lim,  tcVt‘. 

Then  by  (12),  Lemma  8  and  the  nonexpansiveness  (thus  continuity)  of  V,  we  get 

dc(a  Uc  o',  0UC  0')  =  lim  dc(U,  U  U[,  V,  U  V,') 

<  lim(dc(E„  V,)  V  dc(Uf,V(')) 

t 
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=  li mdc(Ut,Vt)  V  lim dc(U\X) 
<  < 

=  dc(a,&)\/dc(a,,i}'). 


Q.E.D. 

We  write  {x}c  for  /({*}),  where  x  €  A.  Clearly,  {}c  :  .4  -*  Ac  is  an  isometric 
embedding. 

In  the  proof  of  the  main  theorem  below,  we  need  the  following  consequence  of  the 
distributivity  of  V:  for  any  finite  family  {xi.j  |  i  €  f,  j  €  J  }  of  elements  of  V , 

V  A  T,’J  =  A  V  x*  *<■')• 

ieijeJ 

11.  Theorem.  Assume  A  is  a  V-domain,  (E,  *)  is  a  convex  V-algebra,  and  f  :  A  —*  E  is 
nonexpansive.  Then  there  is  a  unique  homomorphism  fc  :  Ac  — *  E  such  that  f  —  fc  °  {  }C- 

PROOF. 

Existence. 

Define  f  :  V'f{A)  E  by 

/'({*i,  •■•,*„})  =  /(xi)  +  ...*/(x„). 

Then  for  aU  U,  V  G  V'f{A)J'(U  U  V)  =  and  /'  o  {}  =  /. 

CLAIM  1.  f  :  V'f(A)  -*  E  is  nonexpansive. 

Let  17  =  a,}  and  V  =  {t?,,...,vm}  be  finite  subsets  of  A.  Then  for  any 

functions  <f> :  {1,2, .. .  ,m)  — *  {1,2, .. .  ,n}  and  tl'  :  {1,2, ...  ,  n}  — ►  {1,2, .. .  ,m), 

dE(f(U),  f(V))  =  dE(/(u, )  *...*/(«■),  /(<i  )*...*  /(um  )) 

=  </£;(/(«  1  )*...*  /(«»  )  +  /(«*(!))  *  -  •  •  /(»«ri)), 

/(i>*d)  )★...*  /(t’v(„) )  *  /(t’i  )★...★  /(nm )) 

<  V  -<o))v  V 

l<i<n  ISIS'" 

<  V  d(tii,  lV(>))  V  V 

1  <i<n 


dE(/(t/),/(V))  <  /\V v  /\  VdKo>v>) 

^  J1 

=  y  /\  </(«,, » ’>) v  V  A  i,>) 

•  i  >  « 

=  dc(lU0- 

Claim  1  follows. 

Let  fc:Ac—*E  be  the  unique  nonexpansive  extension  of  /'. 

CLAIM  i.  fc  is  a  homomorphism. 

Let  o,(3  €  Ac  and  choose  (!/«)<  and  (V<),  Cauchy  nets  in  P}(A)  such  that 
o  =  lim  ictf«  and  3  =  lim  icF« . 
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}C{a  UC  $)  =  fc(\imiC(Ut  U  V,)) 

=  lim  fC tc(U,  U  V,) 

« 

=  lim/'(C/<UV'«) 

< 

=  lim /'([/,)  */'(K) 

=  lim  f‘(U,)  *  lim/'(V«) 

=  /c(a)  */<•(/?). 

Claim  2  follows. 

Since  fc  o  {}c  =  (fc  a  ic)  o  {}  =  /'  o  {}  =  /,  fc  is  the  required  homomorphism. 
Uniqueness. 

Since  fc  is  required  to  be  a  homomorphism,  its  restriction  to  V'j(A)  must  be  equal  to 
/'.  This  determines  fc  uniquely. 

Q.E.D. 

Thus  Ac  is  the  free  convex  V-algebra  on  the  V- domain  A.  Corresponding  results 
hold  for  Au  and  Ac.  For  Au  the  notion  of  convex  V- algebra  is  replaced  by  that  of  upper 
V-algebra,  which  is  obtained  by  adding  the  axiom  (4W)  d(x*y,x)  =  0.  For  Ac ,  the  axiom 
(4£)  d(x,x  *  y)  =  0  is  added  to  the  definition  of  convex  V-algebra  yielding  the  notion  of 
lower  V-algebra. 

4.  Fixed  Points 

FIXED  POINTS  OF  MORPHISMS 

In  denotational  semantics  the  meanings  of  many  language  constructs  are  given  as 
solutions  of  equational  specifications.  The  existence  of  such  solutions  depends  on  the 
existence  of  fixed  points  of  certain  morphisms.  To  specify  such  a  class  of  morphisms  for 
V-Dm,  we  assume  additional  structure  on  V. 

12.  Definition.  An  action  on  V  is  a  monotone  map,  ©  :  [0,  oo]  x  V  — *  V  satisfying  the 
following  conditions  for  all  o,  /9  €  [0,  oo]  and  p,  q  €  V: 

(a)  l©p  =  p; 

(b)  (a/9)  ©  p  =  a  0  (0  ©  p);  and 

(c)  (a  +  /3)  ©  p  =  a  ©  p  +  f)  ©  p. 

On  the  value  quantale  of  distances,  ordinary  multiplication  is  an  action.  This  is,  of 
course,  the  motivating  example.  Another  important  example  is  provided  by  the  value 
quantale  of  distance  distribution  functions.  For  a  €  [0,  oo]  and  F  €  A,  a  ©  F  is  defined  by 
(a©F)(x)  =  F(£). 

13.  Definition.  Assume  .Y  is  a  V-continuity  space  and  f  :  X  —*  X.  Then  /  is  a 
contraction  mapping  if  there  is  an  a  6  [0,1)  such  that  for  all  x\,xz  €  A’,  a  Q  d(x  1,12)  > 
d(f(xi),f(x2)). 

To  adapt  the  standard  proof  of  Banach’s  Fixed  Point  Theorem  to  the  continuity  space 
setting,  we  need  one  more  notion.  An  element  p  €  V  is  Q-finite  if  A,>o(e  ©  p)  =  0.  In  the 
two  examples  mentioned  above,  being  finite  can  be  characterized  in  familiar  terms.  An 
element  p  6  is  finite  iff  p  <  00.  An  element  F  €  A  is  finite  iff  it  is  the  distribution  of  a 
random  variable;  that  is,  iff  limr_0O  F(x)  =  1. 

Fixed-Point  Theorem  for  Contraction  Mappings.  Assume  _Y  is  a  V-domain  and  f  :  X  — *  X 
is  a  contraction  mapping.  If  there  is  an  element  *  in  .Y  such  that  ds(x,  f{x))  is  finite,  then 


t 


f 


/  has  a  fixed  point;  that  is,  there  is  an  element  x- »  €  -V  such  that  /(jtoo)  =  *<»•  Moreover, 
if  i]  and  xj  are  fixed  points  of  /  and  ds(x  1,12)  is  finite,  then  ij  =  12- 

In  the  two  examples  mentioned  above,  this  theorem  specializes  to  the  Banach  Fixed 
Point  Theorem  and  a  version  of  Sherwood’s  fixed  point  theorem  for  probabilistic  metric 
spaces  [Sh]. 

SOLUTIONS  TO  REFLEXIVE  DOMAIN  EQUATIONS 

Many  data  types  are  also  naturally  specified  using  fixed  points.  For  example  to  model 
the  A-calculus,  one  needs  a  solution  to  the  equation:  D  =  At  ®  [D  — ►  D\.  Equations 
of  this  type  sure  called  reflexive  domain  equations  and  can  generally  be  reduced  to  fixed 
point  equations  of  the  form  F(D)  =*  D,  where  F  is  an  endofunctor  on  the  category  of 
domains.  The  presence  of  an  action  on  V  allows  us  to  define  a  notion  of  contractive 
functor  for  which  fixed-points  can  be  found,  using  the  construction  of  [AR]  for  solving 
reflexive  domain  equations  in  categories  of  metric  spaces.  In  this  approach,  the  standard 
notion  of  projection  pair  is  replaced  by  that  of  retraction  pair  together  with  a  measure  of 
how  close  such  a  pair  is  to  an  isometry.  Precisely,  if  -Yj  and  Xi  are  V-domains,  then  a 
retraction  pair  from  X\  to  JY2  is  a  pair  (/,  5)  of  nonexpansive  maps  /  :  X\  — ►  X2  and 
g  :  X2  -*  Xi  such  that  go  f  =  IdXi-  The  norm  of  (f,g)  is  \(f,g)\  =  d(x,-x3](/ og,Idx,). 
14.  Definition.  If  F  :  V  —  D  m  — •  V  —  Dm  is  a  functor,  then  F  is  contractive  if  there  is 
an  a  €  [0, 1)  such  that  for  all  retraction  pairs  ( f,g):D — ►  D'.  »©](/,  p)|  >  \(F(f),  F{g))\. 

Fixed-Point  Theorem  for  Contractive  Functors.  Assume  F  :  V  —  Dm  — »  V  —  Dm  is  a 
contractive  functor  and  there  is  a  retraction  pair  (f,g)  :  D  — »  F(D)  such  that  |(/,j)| 
is  finite.  Then  F  has  a  fixed  point;  that  is,  there  is  a  V-domain  Doo  such  that  is 
isomorphic  to  F{Dtx>)  in  V  —  Dm. 

We  have  stated  this  theorem  in  its  simplest  form.  To  solve  domain  equations  such 
as  D  a  At  ©  \D  — *  .D],  where  D  appears  both  covariantly  and  contravariantly,  certain 
modifications  must  be  made;  however,  this  presents  no  real  difficulties. 
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Ultimately  Periodic  Words  of  Rational  ^-Languages 

Hugues  Calbrix  *  Maurice  Nivat  *  Andreas  Podelski  * 


Abstract 

In  this  paper  we  initiate  the  following  program:  Associate  sets  of 
finite  words  to  Biichi-recognizable  sets  of  infinite  words,  and  reduce 
algorithmic  problems  on  Biichi  automata  to  simpler  ones  on  automata 
on  finite  words.  We  know  that  the  set  of  ultimately  periodic  words 
UP(L)  of  a  rational  language  of  infinite  words  L  is  sufficient  to  char¬ 
acterize  L,  since  UP(Li)  =  UP^L?)  implies  L\  =  L^.  We  can  use  this 
fact  as  a  test,  for  example,  of  the  equivalence  of  two  given  Biichi  au¬ 
tomata.  The  main  technical  result  in  this  paper  is  the  construction  of 
an  automaton  which  recognizes  the  set  of  all  finite  words  u  •  $  ■  v  which 
naturally  represent  the  ultimately  periodic  words  of  the  form  u  ■  vu  in 
the  language  of  infinite  words  recognized  by  a  given  Biichi  automaton. 

1  Introduction 

Biichi  automata  recognizing  sets  of  infinite  words  appear  as  a  major  tool 
in  modelizing  the  behavior  of  a  number  of  computing  systems  including 
distributed  and  real-time  systems  and  circuits.  The  standard  theoretical 
results  about  the  decidability  of  the  equivalence  of  two  Biichi  automata 
do  not  lead  to  efficient  algorithms  for  equality  test  or  optimisation  of  such 
automata,  see  e.g.  Safra[5]  or  Sistla,  Vardi  and  Volper  [6]  (a  question  about 
which  almost  nothing  is  known).  The  basic  idea  underlying  the  present 
paper  is  that  a  set  of  infinite  words  recognized  by  a  Biichi  automaton  is 
entirely  known  when  we  know  the  subset  of  ultimately  periodic  words  (of 
the  form  u-v w  )  it  contains,  and  we  prove  that  this  set  is  finitely  representable 
since  the  set  of  finite  words  u  •  $  •  v  corresponding  to  all  the  u  ■  vu  is  rational, 
i.e.  recognizable  by  a  finite  automaton.  This  fact  brings  the  hope  that  a 
number  of  constructions  which  are  presently  outwardly  performed  on  Biichi 
automata  can  be  performed  on  simple  dfa’s.  This  is  already  the  case  for  the 
SIS  logic  (see  [7])  for  which  this  method  brings  an  described  in  [2]. 

Two  main  theorems  are  proved  in  this  paper.  The  first  one  states  the 
rationality  of  L$,  the  language  of  finite  representations  of  ultimately  peri- 
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odic  words  of  an  arbitrary  rational  ^-language  L,  and  its  proof  brings  a 
construction  of  an  automaton  that  recognizes  L$.  The  second  one  states  a 
nice  characterization  of  the  languages  K  that  are  L%  for  a  given  rational  uj- 
language  L  and  also  brings  a  construction  of  a  Biichi  automaton  recognizing 
L. 

Section  3  describes  informally  the  first  construction  and  two  representa¬ 
tive  examples  are  shown.  The  formal  proof  of  the  first  result  lies  in  Section 
4.  In  Section  5,  we  study  the  determinisation  of  the  previous  construction 
and  we  give  an  upper  bound  of  its  number  of  states.  Section  6  is  devoted 
to  the  proof  of  the  second  theorem  and  also  gives  a  bound  to  the  number 
of  states  of  the  second  construction.  In  Section  7,  we  raise  some  questions 
about  rational  languages  contained  in  A*  ■  $  •  A+  and  the  set  of  ultimately 
periodic  words  that  they  represent.  Section  8  concludes  this  paper. 


2  Basic  Definitions 

Let  A  be  a  finite  set  called  the  alphabet.  We  denote  A *  the  set  of  finite  words 
on  A  —  finite  sequence  of  elements  of  A.  We  note  e  the  empty  sequence, 
which  is  called  the  empty  word.  We  denote  A+  the  set  of  non-empty  words, 
i.e.  A+  =  A*  \  {e}.  Let  u  be  a  finite  word.  We  denote  by  |u|  the  length  of 
the  sequence  u.  The  length  of  the  empty  word  e  is  thus  0.  We  denote  by 
Au  the  set  of  infinite  words  on  A  —  infinite  sequences  of  elements  of  A.  A 
language  is  a  subset  M  of  A*,  and  u-language  a  subset  L  of  A". 

A  finite  automaton  A  is  a  tuple  ( Q,I,D,E )  made  of  a  finite  set  Q,  the 
elements  of  which  are  the  states  of  the  automaton,  a  subset  I  of  Q  of  initial 
states,  a  subset  D  of  Q  of  distinguished  states,  and  a  subset  E  of  Q  x  A  x  Q, 
the  elements  of  which  are  the  edges  of  the  automaton.  It  will  be  convenient 
to  number  the  elements  of  Q.  We  will  then  write  Q  =  {qi,..  ■ qm }• 

Let  u  =  u(I)  • . . .  •  u(k )  be  a  finite  word.  A  word  c  =  c(0)  -  . . .  •  c(k  +  1) 
of  Q+  is  a  calculus  of  A  on  u  if  (c(i),  u(t),  c(i  +  1))  £  E  for  each  i  such  that 
1  <  i  <  k.  This  calculus  is  successful  if  c(0)  £  I  and  c(k  +  1)  £  D.  We 
denote  L(A )  the  language  of  finite  words  u  such  that  there  is  a  successful 
calculus  of  A  on  u.  In  this  case,  the  elements  of  D  are  called  final  states 
and  D  is  denoted  F.  The  set  of  language*  L(A)  for  some  automaton  A,  is 
denoted  1Zat{A *),  and  its  elements  are  ca  1  rational  languages. 

Let  A  be  a  finite  automaton  and  v  €  A+  a  non-empty  finite  word.  When 
there  exists  a  calculus  c  £  Q+  of  A  on  v  such  that  c  —  p  ■  c'  •  q,  we  will  write 
p  q.  When  in  addition  c'  •  q  contains  a  distinguished  state,  we  will  write 

p-o-*q,  and  on  the  other  hand,  when  c'  ■  q  contains  no  distinguished  state, 

V 

we  will  write  p  — q. 
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Let  a  =  a(0)  •  a(l)  • ...  be  an  infinite  word.  A  word  x  =  x(0)  *  x(l) 
of  Qu  is  a  calculus  of  A  on  a  if  (x(t),  <*(*),  x(*  +  1))  €  E  for  each  integer  i. 
This  calculus  is  successful  if  x(0)  €  I  and  if  there  exists  a  distinguished  state 
q  of  D  such  that  x(^)  =  9  for  infinitely  many  integers  k.  We  denote  LU(A) 
the  w-language  of  infinite  words  a  such  that  there  is  a  successful  calculus  of 
A  on  a.  In  this  case,  the  elements  of  D  are  called  repeated  states  and  D 
is  denoted  R  and  A  is  called  a  Biichi  automaton.  The  set  of  w-languages 
LU(A)  for  some  automaton  A  is  denoted  1 Zat(Aw)  and  its  elements  are  called 
rational  w-languages. 

We  denote  UP(AU>)  the  set  {«  ■  vw  j  (u,  v)  €  A*  x  A+},  the  elements  of 
which  are  the  ultimately  periodic  words.  Let  L  be  an  w-language,  we  denote 
UP(L)  the  set  L  D  UP(AW)  of  all  ultimately  periodic  words  of  L.  Let  a  be 
an  ultimately  periodic  word  of  A".  A  word  v  €  A+  is  a  period  of  a  if  there 
exists  a  word  u  €  A*  such  that  a  =  u  •  Similarly,  a  word  u  €  A*  is  a 
prefix  of  a  if  there  is  a  period  v  of  a  such  that  a  —  u  -  vw .  This  definition  of 
a  prefix  is  thus  more  restrictive  than  the  usual  one.  Indeed,  a  isn’t  a  prefix 
of  aa  •  bw ,  for  there  is  no  word  v  £  A+  such  that  aa  ■  bu  —  a  •  vw. 

Fact  1  Let  L\  and  Li  be  two  rational  w-languages  such  that  UP(L\ )  = 
UP(Li),  then  Li  =  Li. 

Proof  The  w-language  (Li  U  L2)  \  (Li  fi  L2)  does  not  contain  any 
ultimately  periodic  word  and  it  is  a  rational  w-language,  because  the  set 
TZat(Aw)  is  closed  under  boolean  combinations.  However,  every  non-empty 
rational  w-language  contains  at  least  one  ultimately  periodic  word.  Thus 
(Li  U  Li)  \  ( Li  D  Li)  is  the  empty  set  and  L\  =  L2.  $ 

The  set  of  ultimately  periodic  words  of  a  rational  w-language  is  thus 
characteristic  of  this  w-language.  The  ultimately  periodic  word  u  •  vw  on  the 
alphabet  A  may  be  represented  by  the  finite  word  u  ■  $  •  v  on  the  alphabet 
A  U  $,  where  $  is  a  dummy  symbol  which  is  not  already  in  A.  Let  L  be  a 
rational  w-language.  We  define  the  language  L$  =  {u-S  u  |  u-v“  e  L)  on  the 
alphabet  AU$,  to  be  the  set  of  all  the  finite  words  which  represent  ultimately 
periodic  words  of  L.  The  Fact  1  allows  us  to  say  that  L%  characterizes  the 
rational  w-language  L. 

3  Finite  Words 

Let  L  be  a  rational  w-language  and  A  =  ( Q,I,R,E )  a  Biichi  automaton 
which  recognizes  it  (we  set  Q  =  {gi,...,gm}-)  For  each  r  such  that  1  < 
r  <  m,  we  set  Mr  =  {u  e  A*  \  3q  6  /,  q-^qr}  =  L(Q ,  I ,  {qr} ,  E)  and 
7Vr  =  {v  6  A+  |  €  Lw(Q,{qr},R,E)}.  It  is  clear  that  for  each  pair  of 

words  (u,  v)  €  Mr  X  Nr,  u  •  vw  6  L,  because  a  successful  calculus  of  A  on 
u  •  vu  may  be  built  from  a  calculus  of  (Q,  /,  {qr},  E)  on  u  leading  to  qT  and 
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a  successful  calculus  of  (Q,  {gr},  R,  E)  on  Moreover,  for  each  ultimately 
periodic  word  «■«"€[,  there  exists  a  qr  €  Q  such  that  u  6  Mr  and  t>  6  Nr- 
This  qT  is  the  state  reached  after  the  reading  of  u  in  a  successful  calculus  of 
A  on  ti  •  t)“.  We  may  decompose  the  previously  defined  language  L$,  using 
the  languages  Mr  and  Nr  in  the  following  way. 

m 

I*  =  U  Mr  ■  $  •  Nr  (!) 

r= 0 

Languages  Mr  are  made  of  prefixes  of  ultimately  periodic  words  of  I 
and  these  languages  are  rational,  because  they  are  recognized  by  automata 
(Q,I,{qr},E).  Languages  Nr  are  made  of  periods  of  ultimately  periodic 
words  of  L.  We  will  build  automata  which  recognize  languages  Nr  to  show 
that  they  are  rational  too.  The  rationality  of  Ls  will  follow  from  this  fact. 

It  might  be  noticed  that  there  are  various  ways  to  show  the  rationality 
of  1$.  We  can  show  that  the  syntactic  congruence  of  1$  and  Arnold’s  con¬ 
gruence  of  L  (defined  in  [1])  are  the  same  on  the  set  A+  (see  [3]).  Then 
the  syntactic  congruence  of  1$  is  of  finite  index  and  L%  is  thus  rational.  It 
is  also  possible  to  use  the  equivalence  between  SlS-logical  definability  and 
rationality  for  w-languages  (see  e.g.  [7])  to  construct  an  automaton  recog¬ 
nizing  L%  from  a  logical  formula  defining  I  (this  procedure  is  described  in 
[2]).  However,  the  direct  construction  of  an  automaton  is  the  most  efficient 
way  to  produce  a  recognizing  device  for  L%. 


figure  1 

A  word  vw  is  recognized  by  the  automaton  (Q,{qr},R,E)  if  there  is  a 
successful  calculus  of  this  automaton  on  vw.  This  calculus  runs  along  one  or 
several  loops — i.e.  cyclic  sequences  of  states — which  contains  repeated  states 
of  R.  For  exemple,  let  L  =  {aba  +  bab)u  be  the  language  recognized  by  the 
automaton  of  the  Figure  1.  The  word  ( aba)u  is  recognized,  and  the  infinite 
sequence  of  states  (123)w  is  a  successful  calculus  of  the  automaton  on  ( aba)w . 
This  calculus  defines  a  loop — 1231 — which  runs  through  a  repeated  state — 1. 
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The  word  aba  is  in  the  language  Ni  of  periods  of  ultimately  periodic  words 
of  L  recognized  from  the  state  1,  and  we  just  need  to  know  the  calculus  of 
the  automaton  on  the  word  aba  to  find  the  loop  1231.  This  is  not  always 
the  case,  as  the  next  example  will  show  it.  The  word  ( ab )"  is  recognized 
too,  the  infinite  sequence  of  states  (123145)"  is  a  successful  calculus  of  the 
automaton  on  this  word  and  the  loop  found  here  is  the  sequence  1231451. 
The  word  ab  is  member  of  the  language  Nx  but  the  calculus  of  the  automaton 
on  the  word  ab  doesn’t  permit  us  to  find  the  loop,  which  only  appears  in 
the  calculus  of  (ab)3. 


b 


figure  2 


Another  example  is  given  by  the  language  L  =  ab+  •  (a+6)",  recognized 
by  the  automaton  of  the  Figure  2.  The  word  (a6)"  is  recognized  by  this 
automaton  and  the  infinite  sequence  of  states  123(45)"  is  a  successful  cal¬ 
culus  of  the  automaton  on  the  word  (a6)".  The  word  ab  is  element  of  the 
language  N\  of  the  periods  of  L  which  can  be  read  from  the  state  1  of  the 
automaton,  but  a  calculus  on  ababab  is  necessary  to  find  a  loop — here  545. 
It  becomes  clear  with  this  example  that  the  first  state  of  the  calculus  isn’t 
necessarily  involved  in  the  loop  found  in  this  calculus. 

The  principle  of  the  construction  that  we  are  going  to  describe  is  to 
simulate  calculi  of  the  automaton  A  which  recognize  the  language  L,  starting 
from  each  state  of  the  automaton  A.  This  simulation  leads  to  a  vector-state 
which  contains  as  components  ends  of  simulated  calculi  with  an  element  of 
the  set  {0, 1}  which  is  1  if  and  only  if  the  simulated  calculus  contains  a 
repeated  state.  Final  states  are  those  from  which  a  loop  of  A  containing 
a  repeated  state  can  be  built.  For  the  first  example,  the  calculus  of  the 
automaton  recognizing  Nx  on  the  word  ab  may  be — the  state  denoted  □  is 
added  to  A  to  make  it  complete 


/  2, 0\ 

/3,0\ 

2,0 

□ 

□ 

3,0 

a 

1,1 

b 

4,1 

4,0 

5,0 

1,1 

\5,oy 

l  °  ) 

V  °  / 
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From  this  calculus,  we  can  build  the  following  calculi  of  the  automaton  A 
on  the  word  ab, 

ab  ab  ab 

1  ~  >  3,  3  — o— ► 4  and  4  — o — ►  1, 

A  A  A 

which  permit  us  to  find  a  loop  containing  a  repeated  state  in  a  calculus  of 
A  on  the  word  ( ab)w .  Moreover,  we  can  make  the  calculus  begin  with  the 
state  1,  3  or  4,  which  shows  that  the  word  ab  is  element  of  Ni,  A3  and  Ar4. 

4  First  Construction 

Formally,  let  L  be  an  w-language  recognized  by  an  automaton  A  =  (Q,  /,  R,  E ) 
such  that  Q  =  {?i, . .  .,gm}*  We  suppose  without  loss  of  generality  that  the 
automaton  A  is  complete,  i.e.  that  {q  |  ( p,a,q )  g  ^  0  for  each  pair 
(q, a)  €  Q  X  A.  For  each  state  qr  of  the  automaton  A,  we  will  build  an 
automaton  Asr  which  recognizes  the  language  Nr  previously  defined. 

The  automaton  ,4jvr  is  built  from  the  set  of  states  ( Q  x  {0, 1})^-  The  ini¬ 
tial  state  is  the  vector-state  qo  =  ((91, 0), . . . ,  (gm,  0)).  The  tuple  ( p,  a,p ') — 
with  p  =  ((pi,/i),...,(pm,/m))  and  p'  =  ((pi, (fC/m))—  is  an 
edge  of  Ant  if,  for  each  i  such  that  1  <  *  <  ro,  (p,-,  a,p'{)  6  E  and  if  p'x  6  R 
then  //  =  1  else  //  =  /,.  A  state  p  =  ((pi,/i), . . . ,  (pm,  fm ))  is  a  final  state 
if  the  following  condition  is  verified.  Let  {ik)i<k<m  be  the  finite  sequence  of 
integers  defined  by  the  relation  p*  =  ,  and  (jkjk> 0  be  the  infinite  sequence 

defined  recursively  by  jo  =  r  and  jk+i  =  iJk  for  each  k  >  0.  This  sequence 
ranges  only  over  a  finite  set  of  values.  Let  thus  s  be  the  smallest  integer 
satisfying  j3  €  {jk  I  0  <  k  <  s}  and  s’  the  only  integer  such  that  s'  <  s  and 
j»<  =  j$-  Then,  the  state  p  is  final  if  and  only  if  1  6  {fjk  |  s'  <  k  <  s}. 

The  following  lemma  states  the  fundamental  property  of  the  automaton 
Ant  •  A  calculus  of  Ant  begining  with  qo  on  a  word  v  contains  for  each  state 
qi  a  calculus  of  the  automaton  A  begining  with  <?,  on  the  word  v.  Moreover, 
a  state  of  the  automaton  Ant  reached  by  the  reading  of  v  from  the  state  qo 
can  be  built  from  the  calculi  of  A  on  v  starting  from  each  state  of  A. 

Lemma  2  Let  v  €  A*  and p  =  ((pi,  /1), . . .,  (pm,  /m))  be  a  state  of  ANt. 

Then  q0  p  if  and  only  if,  for  each  i  such  that  1  <  i  <  m,  qi  — p,  if 
ANr  A 

V 

fi  =  0  and  qi  -o->  Pi  if  ft  =  1. 

Proof  Let  tig4‘  and  p  a  state  of  Ant.  We  will  show  the  lemma  with 
an  induction  on  the  length  of  the  word  v.  If  v  =  e,  then  the  lemma  trivially 
is  true.  Thus,  we  assume  that  v  e  and  we  set  v  =  u  ■  a  with  u  6  A*  and 
a  £  A. 


t 


Let  us  assume  that  qo  p.  Let  p'  a  state  of  An,  such  that  90  — 1 ►  P '  and 

-A-Nt 

p'  -SU  p.  We  set  p'  =  ((pi,  f (?',„,  fin))-  We  deduce  from  the  induction 
•ASr 

hypothesis,  that  <7,-  -^*p-  f°r  each  *  suc^  that  1  <  1  <  m-  Since  (p',a,p)  is 

an  edge  of  An,,  we  deduce  from  the  definition  of  An,  that  (p(,a,p,)  is  an 
edge  of  A,  and  that  <7;  ~*Pii  f°r  each  i  such  that  1  <  i  <  m.  Moreover,  if 

/,•  =  1  then  f-  =  1  and  in  this  case  <7;  -o-*  p[,  or  f-  =  0  and  in  that  case  p,  is 

A 

v 

a  repeated  state.  In  both  cases,  we  get  that  <7,  -o-»  p,-.  To  conclude,  if  /,  =  0 

U 

then  —  0,  and  we  deduce  from  induction  hypothesis  that  <7,  p,-.  The 

A 

v 

state  pi  isn’t  a  repeated  state  and  thus  q;  p,. 

Let  us  now  assume  that  5,  ►  p^  for  each  *  such  that  /,  =  0  and  that 

V 

qi  — o-+  pi  for  each  i  such  that  /,•  =  1.  For  each  i  such  that  1  <  i  <  m, 
there  is  a  state  p[  from  Q  such  that  9,  -j+pJ  and  (p(,  a,p.)  is  an  edge  of 
A.  Moreover,  if  /,■  =  1  and  p,-  isn’t  a  repeated  state,  then  we  can  choose  p' 

U 

such  that  qi-o-*  p'i,  and  we  set  then  /■  =  1.  If  /,■  =  1  and  p,  is  a  repeated 

XI 

state,  we  set  //  =  0  if  qi  p\  and  f-  =  1  in  the  other  case.  If  /;  =  0,  we 

A 

u 

can  choose  p(-  such  that  qi  Pii  and  we  simply  set  /'  =  0.  We  deduce 

from  the  induction  hypothesis  that  the  state  p'  =  ((Pi, /(),•••, (Pm> /m)) 

thus  defined  is  such  that  qo—*p'-  Then,  we  see  from  the  definition  of  the 

•An, 

automaton  An,  that  (p',a,p)  is  an  edge  of  Ant-  Thus,  we  conclude  that 
%)~T*P-  0 

Atfr 

It  remains  to  show  the  equality  between  N,  and  L(An ,)■  So,  let  v  be 

a  word  of  L(An,),  let  p  =  ((pi,  /1), . . .,  (pm,  fm))  be  a  final  state  of  An, 

such  that  qo  —*p,  and  let  sequences  {ik)i<k<m  and  (jk)k> 0  and  integers  s 
■An, 

and  s'  be  defined  as  previously.  From  the  previous  lemma,  we  deduce  the 
existence  of  calculi  61 , . .  • ,  bm  of  the  automaton  A  on  the  word  v  such  that 
bk  =  qk  •  b'k  •  pk  for  each  k  such  that  1  <  k  <  m  (we  set  cjt  =  qk  •  b'k.)  From 
the  definitions  of  sequences  ( ik)i<k<m  and  (jk)k>o,  we  deduce  the  equalities 
Ph  =  ?«>*  =  9i*+ 1  •  The  infinite  word  cjo  ■ . . .  •  ■  (cJ#,  • . .  .•  cj#_,  )"  of  Q“  is 

thus  a  calculus  of  A  on  the  infinite  word  vw.  Moreover,  p  is  a  final  state  of 
An,,  then  /*-  1  for  an  integer  k  such  that  s'  <  k  <  s,  and  we  deduce  from 
the  Lemma  2  that  c'k  •  qjk+1  contains  a  repeated  state.  Because  the  first 
state  of  the  previous  infinite  calculus  is  qj0  =  q, ,  this  is  a  successful  calculus 
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of  the  automaton  (Q,{qr}tR,E)  on  the  infinite  word  t/*\  The  inclusion 
L(Ant)  C  Nt  is  thus  proved. 

Conversely,  let  v  be  a  word  of  Nr.  If  A  isn’t  deterministic,  there  exist 
non-regular  calculus  of  A  on  t>w.  However,  we  will  show  in  the  next  lemma 
the  existence  of  a  particular  ultimately  periodic  calculus  of  A  on  vu  which 
can  be  used  to  build  a  successful  calculus  of  Ant  on  v- 

Lemma  3  Let  v  G  Nr — t.e.  such  that  v u  G  Lw(Q,{qr},R,E).  Then, 
there  is  a  successful  calculus  ir  G  Qw  of  the  automaton  (Q,{qr},  R,  E)  on  vw 
which  satisfy  the  following  property.  There  is  two  integers  s  and  s',  s'  <  s, 
and  some  words  Co G  Q*  such  that  |ct|  =  |t>|,  c*  =  pk  •  c'k  with 
Pk  G  Q  and  p*  ^  pj  for  each  pair  of  integers  k ,  l  such  that  0  <  k,  l  <  s  and 
k  l  and  these  words  verify  jr  =  cq  • . . .  •  c,*  •  (cy  • . . .  •  c4_i  )w. 

Proof  Let  v  G  Nr  and  x  =  co  •  c\  •  ■  •  be  a  successful  calculus  of 
(Q>{qr}>R,E)  on  vu  with  |c*|  =  |t>|  for  each  integer  k  >  0.  This  calcu¬ 
lus  isn’t  necessarily  ultimately  periodic  because  A  can  be  non-deterministic. 
For  each  integer  k  >  0,  we  set  c*  =  pk  •  c'k,  with  pk  G  Q.  Let  then  s  be 
the  least  integer  satisfying  P,  G  {pfc  |  0  <  k  <  s}— such  an  integer  exists 
because  Q  is  a  finite  set — and  s'  be  the  integer  such  that  s'  <  s  and  p3>  =  p3. 
There  are  two  possibilities.  In  the  first  case,  the  word  cB<  ■  •  •  e»_i  contains 
a  repeated  state  and  then  Co  •  •  •  (c4<  •  •  •  c4_i)w  is  a  successful  calculus  of 

(Q>{qr},R,E)  on  vw  which  satisfy  hypothesis  of  the  lemma.  In  the  other 
case,  x'  =  co  • . . .  •  cy_x  •  c,  • . . .  is  a  successful  calculus  of  ( Q ,  {qT},  R,  E) 
on  vu>.  Then  we  repeat  the  whole  process  with  x'  until  we  are  in  the  first 
case.  Because  we’re  removing  a  non-empty  factor  of  x  at  each  step  and  x  is 
successful,  we  are  sure  that  the  process  will  stop  in  a  finite  number  of  steps. 
0 

Then,  let  7r  be  a  calculus  of  A  on  d"  satisfying  the  hypothesis  of  Lemma 
3.  We  can  set  q\  =  po, . .  .,qs  =  p„_i  without  loss  of  generality,  the  other 
states  of  Q  are  numbered  arbitrarily,  and  we  also  set  p3  =  p,< .  For  all  k  such 
that  1  <  k  <  s,  the  word  c*_i  -p*  is  a  calculus  of  A  on  v ,  and  thus  qk  —*  Pk- 
On  the  other  hand,  A  is  complete,  and  then  for  all  k  such  that  $  <  k  <  m, 
there  is  a  state  Pk  such  that  qk  For  each  k  such  that  1  <  k  <  s, 

we  set  /*  =  1  if  c*_j  •  pk  contains  a  repeated  state,  fk  =  0  otherwise.  For 
each  k  such  that  s  <  k  <  m,  we  set  fk  =  0  if  qk  — ~ — *•  p*,  and  fk  =  1 

otherwise.  The  state  p  =  ((pi,/i), •  ■  •  ,{pm,  fm))  thus  defined  is  such  that 
%  —*  p.  For  this  state,  the  sequence  (jk)k>o  is  defined  by  j0  =  1,  j*  =  k  + 1 

*^AV 

for  all  k  <  s,  and  jk  =  Jjk— (»—*')  for  all  k  >  s.  s  is  the  least  integer  verifying 
i*  G  {jk  |  1  <  k  <  s}  and  s'  is  such  that  s'  <  s  and  j3>  =  jt.  Moreover, 
it  is  successful  taen  fik  —  1  for  an  integer  k  such  that  s'  <  k  <  s.  This 
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shows  that  p  is  a  final  state  of  An,  and  finishes  the  proof  of  the  inclusion 
Nr  C  L{ANr). 

The  languages  Nr  are  recognized  by  the  automata  An,  and  are  thus 
rational.  From  the  equality  (1),  we  deduce  that  the  language  L%  is  rational 
too.  Finally,  we  have  shown  the  following  proposition. 

Proposition  4  Let  L  be  a  rational  u-language  on  the  alphabet  A  and 
let  be  the  language  of  finite  words  on  the  alphabet  A  U  $,  defined  by 
L%  =  {«  •  $  •  v  |  u  •  vu  €  L}.  Then  L$  is  rational.  Q 

It  is  easy  to  construct  an  automaton  recognizing  L%  from  the  automata 
A  and  -4jvr.  Indeed,  let  At  be  the  disjoint  union  of  automata  A  and  An,., 
for  each  r,  to  which  we’re  adding  the  edges  (q,,$,  qo,) — qo,  is  the  initial  state 
of  An,.  The  initial  states  of  .4$  are  those  of  A  and  the  final  states  of  At 
are  those  of  all  An,.  Then  obviously  L(A$)  =  1$. 

5  Determinising  A$ 

The  automaton  A%  that  we  built  in  the  previous  paragraph  isn’t  determin¬ 
istic.  One  reason  for  this  is  that  it  contains  A,  which  itself  is  not  generally 
deterministic.  However,  accessible  states  of  the  subset  automata  built  from 
At  have  a  particular  shape,  which  provides  a  simple  representation  of  these 
states  and  a  bound  to  its  number. 

We  first  build  for  each  state  qT  of  A  the  subset  automaton  V(An,)  of 
the  automaton  An,.  Its  initial  state  is  the  singleton  {go},  and  we  denote  6 
its  transition  function.  Let  P  be  an  accessible  state  of  V{An,)  and  v  a  word 
of  A *  such  that  £({gb},  v)  =  P.  Let  p  and  p'  two  states  of  An,  ,  members  of 
P  —  p  =  ((Pl,/l),...,(Pm,/m)),  p'  =  ((pi ,/{)v.(p!»./m))-  Then,  each 
state  p"  =  {ip'\ ,  /{'),  •  •  • ,  (p'm ,  fm ) )  such  that  (p'fc',/{')  €  {(Pk,  fk),{p'k,  fk)} 
for  each  k  such  that  1  <  k  <  m  is  a  member  of  P.  This  is  a  direct  con¬ 
sequence  of  Lemma  2.  The  state  P  is  thus  entirely  defined  by  the  sets 
Pk  =  {(Pk,/ifc)  I  P  =  ((Pi,/i),-.-,(Pm,/m))  €  P},  i.e.  P  is  the  set  of 
states  p  =  ((pi,/i),...,(pm,/m))  such  that  ( pk,fk )  6  Pk  for  each  k  such 
that  1  <  k  <  m.  The  set  of  states  of  the  subset  automaton  is  in  bijective 
correspondence  with  the  set  ( V(Q  x  {0,  l}))m,  which  contains  22m  elements. 

The  automata  An,,  and  thus  V(An,),  have  the  same  stucture  —  the 
only  thing  that  changes  is  final  states  —  and  there  is  a  straightfoward  con¬ 
struction  to  build  a  deterministic  automaton  recognizing  a  language  such  as 
N  =  U i=lNri,  the  union  of  languages  Nr.  This  automaton  is  isomorphic  to 
the  common  structure  of  V(An,),  and  its  set  of  final  states  is  the  union  of 
the  final  states  of  automata  V(ANTi  )• 

Now  we  build  a  deterministic  automaton  that  recognizes  L%.  This  au¬ 
tomaton  is  the  disjoint  union  of  V(A),  the  subset  automaton  of  the  automa- 


ton  A ,  and  of  automata  that  we  built  previously  recognizing  each  language 
N,  the  union  of  the  languages  NT  to  which  we  add  edges  (P,  $,  qoP),  where 
qop  is  the  initial  state  of  the  automaton  recognizing  the  language  Ur6pJVr. 
The  automaton  we  have  built  is  deterministic  and  recognizes  the  language 
L%.  There  are  at  most  2m  states  in  V(A),  and  there  are  at  most  2m  unions  of 
languages  Nr,  which  are  recognized  by  automata  with  at  most  22m  states. 
Finally,  there  are  at  most  2m  +  22m2+m  states  in  this  automaton. 

6  Infinite  Words  and  Second  Construction 

Let  L  be  a  rational  w-language  and  L%  the  rational  language  defined  in  the 

previous  paragraphs.  Let  u  ■  $  •  v  be  a  word  in  L%  and  u'  •  $  •  v'  a  word  in 

A"  •  $  •  A+  such  that  u-  vw  =  u'  •  v,UJ.  It  is  then  clear  that  v!  •  $  •  v'  is  an 

UP 

element  of  L%.  Let  us  define  the  equivalence  relation  =  on  the  language 
A*  •  S  ■  A+  in  the  following  way. 

UP 

u  ■  $  ■  v  =  v!  •  $  •  v'  if  and  only  if  u  •  vw  =  v!  •  v'w, 

UP 

Then,  L%  is  saturated  by  =  . 

Let  A"  be  a  rational  language  of  {A  U  $)*  contained  in  A*  •  $  •  A+.  A 

necessary  condition  for  K  to  be  L%  for  a  rational  w-language  L  is  that  K  is 
UP 

saturated  by  =  .  We  will  show  that  this  condition  is  sufficient  too,  and  we 
will  construct  an  automaton  that  recognizes  L.  We  first  need  the  following 
lemma. 

Lemma  5  Let  M  and  N  be  two  languages  of  A *  such  that  M  •  N*  =  M 
and  N+  =  N.  Then,  for  each  infinite  word  a  €  A w ,  a  €  UP(M  •  iVu')  if  and 
only  if  there  exist  two  words  u  G  M  and  v  €  N  such  that  u  ■  vw  =  a. 

Proof  It  is  clear  that  for  each  words  u  G  M  and  v  €  N ,u-vw  €  M •  N“. 
Conversely,  let  a  =  u  •  vw  be  a  ultimately  periodic  word  of  M  ■  JVW,  and 
uo,  ui, . . .  a  sequence  of  words  such  that  u0  €  M,  u,  G  N  for  each  i  >  0  and 
«o  •  tii  • . . .  =  u  •  vu.  We  set  l  =  |t>|,  /,•  =  |uo  • .  •  •  •  u,|  for  each  integer  t,  and 
P  =  {/,  |  t  €  N}.  P  is  an  infinite  subset  of  N,  thus  there  is  an  integer  k 
such  that  P  D  (IN  4-  k)  is  infinite.  Let  7ii  and  ri2  be  two  integers  such  that 
0  <  «i  <  «2,  /ni  >  M?  and  /ny  is  in  ZN  +  k  for  j  =  1  and  2.  We  can  then 
find  two  words  v\  and  t>2  such  that  v  =  Vi  ■  V2,  and  two  integers  k i  and  k? 
such  that  tio • . . . •  uni  =  u-vkl  -«i  and  un,+i  =  V2-vk2  -v\.  The  two 

ultimately  periodic  words  u •  vw  and  uq- . .  uni  •  (uni+i  •  -  •  .■un2)u>  are  equal. 
We  deduce  from  the  hypothesis  on  languages  M  and  N  that  uo  •  •  •  •  •  «nj  €  M 
and  «m+i  • .  •  •  •  €  N,  and  this  ends  the  proof.  0 


Let  then  K  C  A*  •  $  •  A+  be  a  rational  language  saturated  by  =  .  Let 
A  =  ( Q,I,F,E )  a  deterministic  automaton  which  recognizes  K.  We  denote 
by  6  the  transition  function  of  the  automaton  A  and  let  qo  be  its  initial 
state.  We  set  Qd  =  {9  G  Q  |  3u  •  $  •  v  G  h’,q  =  6(qo,  «)}•  For  each  state 
q  €  Qd  we  denote  by  Mq  the  language  of  words  u  such  that  6(qo,  u)  =  q,  and 
we  denote  by  Nq  the  language  of  words  v  such  that  6(q ,  v)  if  a  final  state. 
Mq  and  Nq  are  rational  languages  and  K  —  U qeQtMq  •  $  •  Nq  because  K  is 
a  subset  of  A*  •  $  •  A+. 

The  language  Nq  is  recognized  by  the  automaton  Aq  =  (Q,  $)},  F,  E), 

and  for  each  final  state  qj ,  we  let  the  rational  language  Nqtq/  be  the  set  of 
words  v  such  that  6(q,  v)  =  q  and  6(q ,  $  •  v)  =  q/  =  6(9/,  v).  This  language 
is  composed  of  words  v  of  Nq  that  loop  on  both  q  and  qj,  the  final  state  of 
the  calculus  of  Aq  on  v.  Finally,  we  define  the  w-rational  language  L  by 

L=  (J  Mq-N-qj  (2) 

(9.?/)eQd*F 

The  languages  Mq  and  Nq<qf  satisfy  the  hypothesis  of  Lemma  5  ,  i.e.  N+q  = 
Nq,,,f  and  Mq  ■  Nq  q/  =  Mq.  Each  ultimately  periodic  word  a  which  is  an 
element  of  Mq  •  Nq  q/  is  equal  to  u  ■  v“  with  u  6  Mq  and  v  €  Nq<q).  Then, 

UP 

u  •  $  ■  v  €  K  and  we  deduce  from  the  saturation  of  K  by  =  that  all  words 
u  •  $  •  v  such  that  a  =  u  •  vw  are  elements  of  K.  We  have  thus  shown  the 
inclusion  L%  C  K. 

Conversely,  let  u  •  $  •  v  be  a  word  of  K.  For  each  integer  k,  words  u  •  $  •  v 
and  u  ■  vk  •  $  •  v  represent  the  same  ultimately  periodic  word.  K  is  saturated 

by  =  thus,  u  •  vk  ■  $  •  v  €  K  and  6(qo,u  ■  vk )  6  Qd •  Let  the  sequence  of 
states  pk  G  Qd  be  defined  by  pk  =  <5(?0i « •  vk).  Qd  is  finite,  so  we  can  find 
two  integers  r  and  m  such  that  m  >  1 ,  pr  =  pr+m  and  for  each  integer 
k  <  r  +  m,  pk  {po»  •  ••>?*-!}•  We  may  show  by  a  simple  induction  that 
Pk+m  =  Pk  for  each  integer  k  >  r.  We  set  r  =  sm  +  r',  with  0  <  r'  <  m, 
and  ki  =  r  +  m  -  r'  =  (s  +  1  )m.  Then,  we  get  p2kl  =  P*i+(»+i)m  =  Ph, 

because  ki  >  r,  and  then  qo  pkx  Pki  •  We  set  q  =  pk  1  •  With  a  similar 
argument  on  the  sequence  of  final  states  p'k  defined  by  p'k  =  6(q,  $  •  (vkl  )k), 
we  show  that  there  exists  an  integer  k2  such  that  p  — >  p'k  — >  pk  .  We 
set  qj  =  p'kq .  We  have  thus  showed  that  u  ■  v“  G  Mq  •  Nqqf,  because 
u  •  vu  =  u  •  vkl  •  (vklk2  )w  and  the  words  u  •  vkl  and  vklki  are  in  Mq  and  in 
Nq<q/,  respectively  .  The  infinite  word  u  ■  vu  is  in  L,  and  this  proves  the  set 
inclusion  K  C  L%.  Finaly,  we  have  showed  the  following  proposition. 

Proposition  6  Let  K  C  A*  •  $  •  A+  a  rational  language.  Then,  there 
exists  a  rational  u -language  L  such  that  K  =  L$  if  and  only  if  K  is  saturated 

by  the  equivalence  =  .  C* 


We  can  build  directly  from  A  an  automaton  recognizing  the  w-language 
L.  The  set  Qd  can  be  effectively  computed.  For  each  state  q  G  Qd,  the 
language  Mq  is  recognized  by  the  automaton  (Q,I,{q},E),  which  have  m 
states.  For  each  final  state  qj,  the  language  Nq<qf  is  the  intersection  of  the 
tree  languages  L(Q ,  {9},  {9},  E),  L(Q ,  {$($,  $)},  {«/},£)  and  L(Q,  { qj },  {?/},  E), 
and  this  language  is  recognized  by  an  automaton  with  m3  states.  Each  w- 
language  Mq  •  Nqqf  is  thus  recognized  by  an  automaton  with  m  +  m3  states. 
There  are  at  most  m2  pairs  (q,q/)  G  Qd  x  F,  and  then  the  u>-language  L  is 
recognized  by  an  automaton  which  has  at  most  m3  +  m5  states. 

7  Remarks 

The  set  K  =  {u-vu  j  tt-S-r  G  K}  of  ultimately  periodic  words  corresponding 
to  a  rational  set  K  of  finite  words  in  A*  ■  $  ■  A+  needs  not  be  equal  to  UP{M ) 
for  any  rational  language  M  G  'R.at(AUJ).  In  fact,  there  exists  M  G  lZat(Au) 

such  that  K  =  UP(M)  if  and  only  if  the  smallest  language  containing  K 
UP 

saturated  by  =  is  rational,  and  this  is  not  always  the  case. 

For  example,  K  =  $  •  A+  is  a  rational  set  of  finite  words  include  in 
A*  •  $  •  A+.  K  is  the  set  of  periodic  words  on  the  alphabet  A  and  (K)$  is  not 
a  rational  set  if  A  has  more  than  one  letter.  In  fact,  if  a  and  b  are  distinct 
letters  of  A,  $  •  a  ■  bn  G  K  for  each  n  G  N  and  then  a  ■  bn  ■  $  •  a  ■  bn  G  {K)% 
for  each  integer  n.  But  for  each  integer  n' ,  n'  <  n,  a  ■  bn'  ■  S  •  a  ■  bn  g  (K)$ 
because  the  word  a  ■  bn'  ■  (a  ■  bn)w  is  not  periodic.  The  language  (K)$  may  not 
be  rational  because  it  does  not  even  satisfy  pumping  lemma  conclusions. 

8  Conclusion 

We  have  solved  in  principle  the  problem  of  building  an  effective  one-to-one 
correspondance  between  Biichi  automata  and  dfa’s  recognizing  the  languages 

UP{M)%.  This  raises  two  immediate  natural  questions.  How  can  we  decide 

UP 

efficiently  that  a  rational  language  K  C  A*  •  $  •  A+  is  saturated  by  5? 
How  can  we  decide  that  ( K)$  is  rational  ?  More  generally,  the  question  is 
raised  to  derive  from  canonical  forms  of  the  dfa’s  recognizing  the  UP{M)% 
canonical  forms  for  the  Biichi  automata  recognizing  the  M’s  and  hopefully 
efficient  practical  algorithms  for  the  manipulation  of  Biichi  automata. 


f 
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Abstract : 

We  define  the  category  FuncA  with  functors  F :  DF  — *  SCOTT 
(DFeCPO)  as  objects  and  pairs  (fiDp^Dc/niF-^Gof)  as 
morphisms  (q  is  a  natural  transformation).  We  show  that  this 
category  is  closed  under  the  common  domain  theoretical 
operations  +  ,x,±  and  -*  .  The  category  FuncA  is  an  O-category 
and  all  the  operations  we  define  on  it  are  continuous  functors,  so 
we  will  be  able  to  solve  recursive  equations  in  FuncA.  We  also 
show  that  if  we  restrict  FuncA  to  functors  that  preserve  directed 
colimits  then  the  category  is  not  closed  under  the  -»  operation. 
The  category  FuncA  is  a  basis  for  a  model  of  second-order  lambda 
calculus  with  subtyping. 

0  Introduction 

The  category  of  A-Functors  is  motivated  by  John  Reynolds'  work 
on  category -sorted  algebras  (Reynolds  1980].  Reynolds'  work 
addresses  the  problem  of  treatment  of  coercions  between  types. 
The  key  idea  in  category-sorted  algebras  can  be  expressed  with 
the  help  of  the  following  figure  (see  next  page) : 
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The  cpo  D  contains  the  type  names  and  the  functor  3  maps  type 
names  to  corresponding  epos.  The  fact  that  int  is  a  subtype  of 
real  is  described  by  the  mapping  S[int  e  real  ]  from  the  set  of  natural 
numbers  into  the  set  of  real  numbers.  The  meaning  of  a 
polymorphic  operator  like  succ,  which  takes  an  element  x  from 
int  or  real  and  returns  x+1  (for  all  other  types  it  returns  error), 
can  be  expressed  as  a  natural  transformation  between  the  functors 
3  and  S°4ucc/  where  fsucc(int)=int,  fsucc(real)=real  and  fsucc(d)=ns 
otherwise.  This  approach  can  be  generalized  by  allowing  recursive 
definition  of  the  domain  D,  e.g.  D  asB+D  -*  D,  where  B  is  the  set 
of  base  types.  The  function  fsucc  can  now  be  treated  as  a  type 
name  and  can  be  included  in  the  domain  D.  This  allows  the 
polymorphic  operators,  like  id  or  succ  to  be  higher  order  and  to 
self  apply,  which  is  of  importance  to  models  for  lambda  calculi. 
The  cpo  corresponding  to  the  type  name  fsucc  should  be  the  cpo  of 
natural  transformations  3 -**  S°fsucc .  This  generalization  of 
Reynolds'  work  was  introduced  by  David  Schmidt  [Schmidt  1990] . 
As  the  functor  3  is  now  defined  recursively  we  must  be  able  to 
solve  recursive  equations  in  a  category  Func^  of  functors 
F:Df-*CPO.  The  category  FuncCPO  is  closed  under  the 
counterparts  to  domain  theoretical  operations  +,  x,  JL,  -*•  and 
all  these  operations  are  continuous  functors  on  FunCcpo  [Schmidt 
1990].  We  can  use  the  ideas  developed  by  Schmidt  to  give  a 
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model  for  polymorphic  X2-calculus  with  subtyping  [Fiech  1993 ; 
Fiech,  Schmidt  1993] .  Algebraic  domains  play  an  important  role 
in  domain  theory  and  the  X2-calculus  model  benefits  if  we  can 
work  only  with  algebraic  epos.  Motivated  by  this,  we  define  the 
category  FuncA  with  functors  F  :DF  -*  SCOTT  as  objects  and  make 
sure  that  this  category  is  closed  under  the  previously  mentioned 
operations.  Most  of  the  problems  are  caused  by  the  -*■  operator. 
In  general  the  new  functor  F  -*  G :  [DF  -*  DG]  -*  CPO,  with 
F  -*  G[f] :  =F  -**  G°f  (the  epo  of  natural  transformations)  doesn't 
produce  an  algebraic  cpo.  In  part  we  can  resolve  this  by  requiring 
that  F[dkcdJ  preserves  finite  elements  and  G[dkEd,]  preserves 
nonempty  infimas  [Fiech,  Huth  1991].  Although  now  F  ->  G[f]  is 
a  Scott-domain,  the  category  of  such  functors  is  still  not  closed 
under  the  -*  operation  as  F  -*■  G[fj  c  fj]  doesn't  necessary  preserve 
finite  elements.  We  can  solve  this  problem  if  we  require  that  for 
all  F g FuncA ,  F[dkEd,]  is  a  lower  embedding  (p.4).  From  all  the 
domain-theoretical  operations  on  FuncA  only  the  definition  of 
the  'P-operator  (powerdomain  constructor)  isn't  immediately  clear. 
We  define  the  !P-operator  and  give  a  justification  for  our  choice. 
Another  interesting  question  about  the  category  FuncA  is  if  we 
can  require  that  all  functors  in  it  preserve  directed  colimits  (lubs 
of  directed  sets).  The  answer  to  this  question  is  unfortunately  no, 
as  again  the  functor  F  -*•  G  may  not  preserve  directed  colimits. 
This  negative  result  holds  for  any  category  of  functors  F:Df  -*  C, 
where  C  is  a  subcategory  of  CPO  which  contains  the  one-  and 
two-  element  epos. 

The  framework  discussed  in  this  paper  also  generalizes  the 
functor-category  semantics  described  by  Oles,  Reynolds,  O'Heam 
and  Tennent  [Oles  1982,1985;  Reynolds  1980;  O'Hearn  and 
Tennent  1993]. 


1  Basic  domain  and  category  theory 

This  section  is  a  brief  review  of  the  necessary  definitions  in  domain 
and  category  theory. 

A  partial  order  (D,c)  is  a  set  D  and  a  binary  relation  g  on  D, 
which  is  reflexive,  antisymmetric  and  transitive.  For  a  subset 
McDan  element  xeD  is  called  an  upper  bound  of  M  if  for  all 
meM,  mcx.  An  element  xeD  is  called  least  upper  bound  (lub) 
of  M,  LiM  if  it  is  an  upper  bound  of  M  and  if  for  all  upper 
bounds  x*  of  M  xcx*.  Analogously  we  can  define  lower  bound 
and  greatest  lower  bound  11 .  The  lower  set  of  X,  IX  is  defined  as 
IX  :=  {deDIdcx  for  some  xeX}  (analogously  tX).  A  subset 
McD  is  directed  if  for  every  finite  subset  M'cM  there  exists  an 
upper  bound  meM  for  M'.  A  complete  partial  order  (cpo)  is  a 
poset  (D,c),  st.  every  directed  subset  McD  has  a  least  upper 
bound  LJMcD.  For  a  subset  M  of  a  cpo  X,  the  LJ-dosure  of  M  is 
defined  as  the  smallest  subset  M*  of  X  that  contains  M,  st.  for 
every  directed  NcM*,  LlNeM*.  A  function  f:A  -*  B  between 
two  posets  A  and  B  is  continuous  if  for  any  directed  set  Me  A, 
f(M)  is  also  directed  and  f(LiM)  =  Ll{f(m) ImeM}  whenever  LJm 
exists.  A  continuous  function  e:D~^E  is  an  embedding  if  there 
exists  a  continuous  function  p:E-*D,  st.  p°e=idD  and  e°pcidE. 
We  call  p  a  projection  and  denote  it  by  e*.  If  e(D)  is  a  lower  set  in 
E  (e(D)=  le(D))  then  e  is  a  lower  embedding.  An  element  x  e  (D,  g  ) 
is  finite  if  for  all  directed  sets  M  with  x  c  LiM  there  exists  some 
element  meM,  st.  xcm.  We  denote  the  set  of  all  finite  elements 
in  D  as  K(D).  The  cpo  (D,c)  is  algebraic  if  for  all  xeD  the  set 
M={aeK(D)lacx|  is  directed  and  x=LlM.  (D,c)  is  bounded 


complete  if  every  nonempty,  bounded  subset  XcD  has  a  lub  in 
D.  A  Scott  domain  is  a  bounded  complete,  algebraic  cpo.  A  subset 
UcD  is  called  Scott-open  if  U=tU  and  if  for  every  directed  set 
M,  LfMeU  =>meU  for  some  meM.  For  two  nonempty  subsets 
A,BcD  AcRB  if  for  every  ae  A  and  every  Scott-open  set  U  with 
a e  U  there  exists  some  b  e  BnU .  A  »RB  iff  A cRB  and  B  c  rA  .  For  a 
nonempty  set  AcD  we  define  the  equivalence  class 
[AJ^IBcDIBbrA}.  The  relational  powerdomain  (tfgCD),^)  is 
the  cpo  of  the  nonempty  subsets  of  the  elements  in  D  quotiented 
by  the  relation  «R  and  partialy  ordered  by  cR.  If  D  is  algebraic 
then  yR(D)  is  a  Scott-domain.  For  any  AcD  there  is  a  canonical 
representation  of  [A]  which  is  UA.e  iA]A*e  [A].  For  this  canonical 
A,  A=iA  holds  and  A  is  closed  under  lubs  of  directed  sets.  If 
f  :D  -*•  E  is  a  continuous  function  then  f+ : SPR(D)  -*  !PR(E)  defined  as 
f+(A):  =[{f(a)  I  a  e  A}],  is  also  continuous. 

A  category  ft  is  a  quadruple  ft=(0,hom,id,°)  where  (i)  O  is  a 
class  whose  members  are  Q -objects  (ii)  for  each  pair  (A,B)  of 
ft-objects  hom(A,B)  is  a  set  whose  members  are  called 
ft-morphism  from  A  to  B  (iii)  for  each  Q-object  A  idA:A  -*  A  is 
the  A-identity  (iv)  °  is  a  composition  operator  assigning  to  each 
pair  of  morphism  f:A-*B,  g:B-»C  the  composite  morphism 
g°f:A-*C.  We  also  require  that  f°(g°h)=(f°g)°h  (h:C-*D)  and 
idA°f=f,  g°idB=g.  The  class  O  is  usually  denoted  by  Ob(Q)  and 
the  class  of  Q-morphisms  Mor(Q)  is  defined  as  the  disjoint  union 
of  all  the  sets  hom(A,B)  in  ft.  The  category  CPO  has  as  objects 
complete  partial  orders  and  as  morphisms  continuous  functions. 
In  CFOx  all  epos  have  a  least  element  1.  In  the  category  SCOTT 
the  objects  are  Scott-domains. 
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Let  Q,<I>  be  categories.  A  functor  F :  Q  -*  <I>  is  a  function  that  assigns 
to  each  Q-object  A  a  ^-object  F(A)  and  to  each  Q-morphism 
f :  A  -*  B  a  <b-morphism  F(f):F(A)  -*  F(B),  st.  F(f°g)=F(f)°F(g)  and 

F(idA)=idF(A)' 

Let  F,G:Q  -*  O  be  functors.  A  natural  transformation t: F  -1*  G  is 
a  function  that  assigns  to  each  Q-object  A  a  <I>-morphism 
ta:Fa-*Ga,  st.  for  each  Q-morphism  f.A-*B  G(f)°rA=TB°F(f).  If 
F,G  :  D  -*■  CPO  are  two  functors  then  F-^G,  the  set  of  natural 
transformations  from  F  into  G  together  with  the  ordering  ri  c  4» 
VdeD:r]dC(j)disa  cpo. 

A  sink  in  a  category  Q  is  a  pair  ((f^el,A)  consisting  of  an  object 
A  e  Ob(Q)  and  a  family  of  morphism  f; :  A;  -*■  A  in  Q .  If  F :  Q  -*  <I> 
is  a  functor  then  an  O-sink  (F[iJ  -**  A)ieDb(Q)  is  natural  for  F  if  for 
each  Q-morphism  d  :  i  -*  j,  fj°F[d]=fi.  A  colimit  of  F  is  a  natural 
sink  (F[i]  -1*  C)ifc0b(Q)>  st.  for  any  other  natural  sink  (F[i]  **  A)iEOb(Q) 
there  exists  a  unique  morphism  h:C-*A  with  hof^g,  for  all 
ieOb(Q).  A  category  O  is  cocomplete  if  every  functor  F  from  a 
small  category  Q  into  O  has  a  colimit  in  <b.  The  category  CPO  is 
cocomplete  (but  CPOx  is  not). 


2  The  category  Funccpo 

The  category  Funccpo  was  first  introduced  by  David  Schmidt 
[Schmidt  1990] .  The  category  FuncA  is  based  on  the  definitions 
given  by  Schmidt.  The  difference  between  this  two  categories  is 
that  the  functors  in  FuncA  map  elements  in  D  into  Scott-domains 
instead  into  arbitrary  epos.  This  restriction  causes  many  problems 
when  we  want  to  close  Func4  under  the  operations  +,x,±,  -* 
and  <P.  A  solution  to  this  problems  will  be  given  in  the  next 
section.  In  this  section  we  adapt  the  definitions  for  FunCcpo  and 


the  operations  +  ,x,±,  -»  given  by  Schmidt.  We  also  define  the 
powerset-operator  T  on  Fum^o . 

Definition  2.1 

The  category  FunCcpo  has  as  objects  pairs  (DFeOb(CPOx), 
F:Df-*CPOx  ),  st.  F  is  a  functor,  F[dcd']  is  a  strict  function  for 
all  dcd’eDF  and  F[±]  *{±}.  The  morphisms  between  two  objects 
F  and  G  are  pairs  (f/n),  where  f  is  a  strict  function  from  DF  into 
Dg  and  ri  is  a  natural  transformation  in  F  -*♦  G°f .  Composition  on 
morphisms  (f  :  DF -* Dc,  r]  :  F -**  G°f)  and  (g:DG-*DH, 
Y  :  G  -**H°g)  is  defined  as  (g°f,  XdeDF.Yf(d)°rid). 

The  category  FunCcpo  is  closed  under  the  common 
domain-theoretical  operations  which  are  defined  in  the  following. 

Definition  2.2 

Let  Fj,F2  eOMFunCcpo). 

a)  The  bottom  functor 

1  :  FunCcpo  -*  Func^ 

is  defined  as  (we  write  FA  instead  of  1(F))  : 

FA  :  Dj_  -*  CPO 

F  Jl]  =  {1}  the  one  element  cpo 
FjdeD]  =  F[d] 

Fjlcd]  =  Xx.  l^j 

L  x[d1cd2]  =  F[d}  cdj 

l(f  :  D,  -* Dz,  r]  :  Fj  F2°f) 

=  (Xx.fx,  XdeDj  .if  d=l  then  Xx.l  else  ri(d)) 

b)  The  product  functor 

x  :  FunCcpo  x  FuncCPO  -*  Funq-po 


is  defined  as 
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F,xF2  :  D,xD2-CPO 
F1xF2[(d1,d2)]=F,[d1]xF2[d23 
FjxFjKdjCd/Acd,')]  =  (FMcdjlF^cdj*]) 
x((f1,ri1),(f2,rb))  =  (f,x4/r)lxr)2)/  where 
rij  xrt2:  =X(d1  ,d2)  €  DjxD2  .rij  (d,)xrt  2(d2) 
c)  The  sum  functor 

+  :  FunCcpo  x  FuncCPO  FuncCPO 

is  defined  as 

F,+F2  :  D,+D2-*CPO 

F,+F2U]  =  {1} 

FI+F2[(l,d1)]  =  F,[dj] 

F1+F2[(2,d2)]  =  F2[d23 
Ft+F2[±c(i,d)]  =  Xx.  -LF.ldl 
F1+F2[(i,dx)c(i,d2)]  =Fi[d1cdJ 

+((fi/'n1)/(f2/Tl2))  =  where 

ri1+rfc:=XxeD1+D2  .cases  x  of 
±-*Xx.JL  I  (l,d)-+  r^d)  I  (2,d)  -»  h2(d) 

e)  The  exponentiation  functor 

—  :  FuncCPOop  x  Func^  -*•  Func^o 

is  defined  as 

F,-F2  -.[Dj-DJ-CFO 

p  _*  p  [f]  =  p}  j*.  p2of  the  cpo  of  natural  transformations 
Fi-*F2[fiCf2]  =  XrieF,  -F2of1.(XteD1.F2[f1tcf2t]c>(r|t)) 

-  ((f„h,),(f2,h2))  =  (fy? e [D i "* D2] -f20g°fi /  hi  -h2)  where 
hi  — ' hz  =  H e [D ,  -  D2]  M  e  Fx  F2og  .  h2^ , 
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Proposition  23  [Schmidt  1990] 

The  category  Func^c  is  an  O-category  and  the  functors  +  ,x,±,  -*■ 
are  locally  continuous. 

□ 

The  only  remaining  operation  we  have  to  define  is  the 
powerset-operator  T. 

Lets  consider  a  simple  functor  G : { • }  -*•  CPO  with  G[  •]=Y.  When 
we  apply  2  to  G,  as  a  result  we  would  expect  a  functor  Gp  from 
{ •  }=!Pr({  • })  into  CPO,  where  Gp[  •  ]=!PR(Y).  Let  now  F:Df  -*  CPO 
be  an  arbitrary  functor  in  Func^.  The  functor  Fp  should  be  from 
!Pr(Df)  into  CPO.  But  what  should  the  cpo  F^A]  be,  where 
Ae!PR(DF)?  We  should  look  at  the  union  of  all  elements  in  F[a], 
aeA.  We  can  find  all  elements  xeUaeAF[a]  in  the  colimit  of  the 
functor  F.  This  colimit  (F[i]  X)ieDp  exists  in  CPO  [Fiech  1992] 
and  as  fx(J_)  is  the  least  element  in  X  it  also  exists  in  CPOx.  In  the 
colimit  cpo  X,  elements  which  are  essentially  equal  (like  2eint 
and  2 e real)  are  identified.  We  can  define  the  poset 
XA:=UaEAfa(F[a])  and  then  take  for  FP[A]  the  relational  powerset 
domain  on  XA*  (the  Li-closure  of  XA  in  X),  FP[A] :  =!PR(XA*).  When 
applying  this  to  the  functor  G :  { • }  -*  CPO  we  get  the  expected 
functor  Gp.  Because  AerB  <=>  AcB  we  have  XA*  c XB*  and  therefore 
there  exists  the  obvious  inclusion  function  i:XA*-*X8*.  For 
Fp[AgrB]  we  can  take  the  function  i+.  It  is  clear  that  Fp  preserves 
identities  and  composition,  so  Fp  is  indeed  a  functor.  The  functor 
;P: FunCcpo  -*  FunCcpo  still  has  to  be  defined  on  morphisms  (p,ri). 
2ftp/n)]  must  be  a  pair  ( p\rj+ ),  where  p+:23R(DF)-*!PR(DG)  and 
ri+  -»*GFop+.  It  is  obvious  what  the  function  p+  should  be 
(p+(A)=[{p(a) laeA}]).  To  define  the  natural  transformation  r\+ 
we  use  the  following  figure  (see  next  page) : 
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If  Ae?PR(DF)  then  qAT  :FP[A]  -*  Gp[p+(A)].  We  have  the  two  colimits 
(F[i]  ■*»>  X)ieDp  and  (G[i]  Y)i6Dc .  We  can  construct  the  natural  sink 
(F[i]  W  Y)ieDp/  where  hj:  As  X  is  the  colimit  for  F  we  get  a 

unique  function  k:X-*Y  which  makes  the  diagrams  commute: 
kof^h;  for  all  ieDp.  Now  we  can  define  the  function 
qA :  XA*  -*  Yp+  (A)*  as  the  restriction  of  k  to  XA*  :  qA :  =k  I  Xa.  .  We  can 
extend  qA  in  the  obvious  way  into  a  continuous  function  from 
PR(XA*)  into  :PR(Yp+(A)*) .  The  natural  transformation  q+  can  be 
defined  now  as  r]vA:=qAv.  It  is  clear  that  q+  is  indeed  a  natural 
transformation.  It  is  easy  to  check  that  T  preserves  identities  and 
composition.  Now  we  can  formally  define  the  ^-functor. 

Definition  2.4 

Let  F:Df  -*  CPO,  G  :DG  -*  CPO  be  functors  and  let  (F[i]  X)ieDp 
resp.  (G[i]  **  Y)ieDc  the  colimits  for  F  resp .  G . 

The  powerset  functor 

T  :  FunCcpo  -*  FuncCPO 

is  defined  as  (we  write  Fp  instead  of  T{V)) : 

Fp  :  -Pr(Df)  -*  CPO 
FP[A]  =  2>R(XA*) 

Fp[AcrB]  =  i+  where  i  is  the  inclusion  from  XA*  into  XB* 

2<p  :  DF-+  DG,  r)  :  F  G°p)  =  (p+,  XAe:PR(DF).(k  I  Xa-)+) 
where  k  is  the  unique  morphism  from  X  into  Y  with  k°fj=gp(i)orij. 
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Lemma  2.5 

The  functor  i’rFunCcpo  -*  Funq-po  is  locally  continuous. 

Proof 

Let  F:Df-*CPO  and  G:Dg-*CPO  be  functors  and  let 
(pn:DF-*DG,  Tin:F-**G°p\,  be  a  chain  in  the  set  hom(F,G)  with 
(U{pn},Ll{rin})  the  lub  of  this  chain.  We  have  to  show  that 
P[(U{p"|,LI{rf»]  =  U{3>[(p",  <,")]). 

!P[(U{p"}/U{rin})]=((U{pn})+/XA6!PR(DF).(kLJlv)+)=(U{(pT}^A 
€  iPR(DF).(ku  I  v)+)  as  ( _ )+  is  a  continuous  operation  [Plotkin  1976] . 
ku  is  the  mediating  morphisms  from  X  into  Y  with 
kU°fi=guip"(i)i0U{(Tln)i}.  Also  knofi=gpFXi)°rinj.  It  is  clear  that 
L|{gF7'(i)OTlniHgu(^(i)t0U{(rln)i}-  Therefore  we  have  ku=U{kn}  and 
(kulXA.)+  =  U{(knlXA.)+}.  So  lP[(U{pn},Ll{nn})]  =  (U{(pn)+] 

,  U{XAefPR(DF).(k"lv)+})  =  U{(pn)+,(XAeiPR(DF).(kn  I  xA*)  )J  = 
UM(pn,rin)]}. 

□ 


3  A-Functors 

Algebraic  epos  play  an  important  role  in  domain  theory.  Also 
the  model  for  polymorphic  X2-calculus  mentioned  in  the 
introduction  [Fiech  1993;  Fiech, Schmidt  1993]  benefits  if  we  can 
work  only  with  algebraic  epos.  For  these  reasons  we  define  the 
category  FuncA  which  has  as  objects  functors  F:Df  -*■  SCOTT.  We 
have  to  make  sure  that  FuncA  is  closed  under  the  operations  defined 
in  the  previous  section.  It  is  easy  to  see  that  +,x  and  1  don’t 
cause  any  problems.  A  different  situation  emerges  when  we 
consider  the  -*  functor.  The  new  functor  F  -*  G  must  map  any 
function  feDF-*DG  into  an  algebraic  cpo.  So  F-**G°f  must  be 
algebraic.  But  this  won’t  hold  in  general. 
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Example  3.1 

Let F:Df-+  SCOTT  andG:Dc  — 

=  Dg  = 


SCOTT  be  two  functors  where 


Define  F[a]=F[b]=F[c]={lcT}  and  G[a],  G[b],  G[c]  as  in  the 
following  figure  : 


Consider  the  identity  function  on  DF.  The  cpo  F  -1*  G°idI)F  is 
isomorphic  to  the  nonalgebraic  cpo 


f vt 

1 

^  CO 
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[1-210 

\ 

> 
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We  can  solve  this  problem  if  we  require  that  all  the  functors  in 
FuncA  preserve  finite  elements  and  nonempty  infimas. 

Theorem  3.2  [Fiech,  Huth  1991] 

Let  F,G:Q-*  SCOTT  be  two  functors  with  a  small  category  as 
source,  st.  for  all  morphisms  feQ  the  map  F[f]  preserves  finite 
elements  and  G[f]  preserves  nonempty  ITs.  If  F  -**  G  is  nonempty 
then  F  -*»  G  is  a  Scott-domain. 

□ 

As  embeddings  preserve  finite  elements,  functors  with  F[dked,] 
an  embedding  for  all  dkcd,  would  be  good  candidates  for  our 
category.  But  this  isn't  enough  as  again  F  -»  G[fs c f^]  may  not  be 
an  embedding. 


Example  3  3 

We  define  two  functors  F  :DF  -*  CPO  and  G  :DG 


CPO. 


F  maps  all  elements  in  DF  to  the  one  element  cpo  {!}.  G[a]  and 
G[b]  are  the  epos  of  even  resp.  odd  numbers  and  G[c]  is  the  cpo 
of  all  natural  numbers  (with  the  natural  ordering  on  integers). 
G[acc]  and  G[bec]  are  the  obvious  embedding  mappings.  The 
functions  f„  f2 e  [DF  -»■  DG]  are  defined  as  f, :  =id  and  f2:  =Xx.c  (see 
next  page). 
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The  cpo  of  natural  transformations  F  -1*  G°f,  has  only  two  elements 
and  F  -**  G°f2  is  isomorphic  to  G[c] . 


o 


F-*G°f 


O' 


v±/ 


*-L,  0) » 


►  0) 


F-Gtfff  j 


Vi/ 


F  -**  G°f  - 


It  is  clear  that  F-^GftcfJ  is  not  an  embedding  and  that  the 
category  of  functors  with  embedding  morphisms  is  not  closed 
under  the  -*  operation. 

What  could  we  change  in  this  example?  All  the  involved  epos  are 
Scott-domains  and  the  mappings  are  embeddings  which  preserve 
nonempty  infimas.  This  doesn't  leave  much  room  for 
improvement.  The  only  additional  requirement  we  may  impose 
seems  to  be  that  all  the  morphisms  are  lower  embeddings. 
Fortunatelly  this  is  also  enough  as  we  will  see  in  the  rest  of  this 
section.  We  require  that  the  category  FuncA  has  as  objects  functors 
from  a  domain  D  into  the  category  of  Scott-domains,  st.  all  Ffd^d^] 
are  lower  embeddings. 


Notice  that  if  e:D-*E  is  a  lower  embedding  then  e  preserves 
finite  elements,  arbitrary  U's  and  nonempty  ITs. 

Next  we  have  to  make  sure  that  F-*G[f,  cf2]  is  also  a  lower 
embedding.  What  is  the  projection  mapping  to 
F  -*  G[ft  EfJ=Xri  eF  -**  G°f1.XdeDF.G[f1(d)Ef2(d)]o,nd?  The  obvious 
guess  might  be  that  F-frGftcfJ* 
X<j>6F-J*G°f2.XdeDF.G[f1(d)Ef2(d)]Ro<j)d.  But  this  map  doesn't 
always  produce  a  natural  transformation. 

Example  3.4 

In  F  -1*  G°f2  we  have  the  natural  transformation  <j>,  with  <j>j=Xl.2 
and  4>2=XJ_.2.  But  t]  defined  by  r|, :  =G[f,(l)Ef2(l)]R°<{>1, 
ri2:=G[fi(2)Ef2(2)]R°^2  is  not  a  natural  transformation  as  the 
diagrams  don't  commute. 


G(f/2)j  G[f2(2)] 


In  the  above  example  the  function  F  -»  G[fjEf2]  is  an  embedding 
although  the  projection  map  is  different  from  our  guess.  So  we 
need  a  different  way  of  defining  the  corresponding  projection. 
But  first  we  show  that  F  -*  G[fj  Ef2](F  -**  Gofj)  is  a  lower  set  in 
F  -**  G°f2. 

Lemma  35 

Let  F:Df  -*CPO,  G:Dg-*CPO  be  functors,  st.  for  all  d^d^eDc 
GfdiCdj]  is  a  lower  embedding.  Then  for  the  functor 
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F  -*  G :  [DF  -*  Dg]  -»  CPO ,  F  -*  G[f }  c  f2](F  -1*  G°f,)  is  a  lower  set  in 
F-*G[f2J. 

Proof 

Let  q  eF  -**  G°f,  and  <j>cF  -»  G[f,Ef2](ri)=  :r|*.  It  is  easy  to  see  that 
4>* :  —  XdeDp.GffjfdJcf^dJJ^j  is  a  natural  transformation.  The 
diagrams  commute  as  all  G[dt cell's  are  lower  embeddings  (For 
any  xeF[dJ,  G[f1(di)Ef2(di)]  o  G[f1(d1)c£JdI)]R  (^(x))  =  ^(x) 
because  <J>d.(x)cridi(x)).  It  is  clear  that  F  -*■  G[f,Ef2](<{>*)=<|>. 

□ 

Lemma  3.6  . 

Let  E  be  an  algebraic  epo  and  e:D-*Ea  continuous  function,  st. 
e(D)  is  a  lower  set  in  E.  If  there  exists  a  monotone  function  p :  E  -*  D , 
st.  p°e=idD  and  eopcid^  then  p  is  also  continuous  and  therefore  e 
is  an  embedding. 

Proof 

Let  w=LJo)i  in  E.  E  is  algebraic,  so  there  exists  a  directed  set 
QcK(E)  with  LjQ=e(p(a)))ca).  Because  e(D)  is  a  lower  set  in  E 
we  must  have  Lip(qj)=p(e(p(a))))=p(a)).  For  all  q^eQ  there  must 
exist  some  Wj  with  qca);.  As  p  is  monotone  we  get  pfq^cpfu);) 
and  therefore  every  upper  bound  for  {p(o);)}  must  also  be  an 
upper  bound  for  {p(qj)}.  Hence  p(o)=  l_J{p(qj)}  c  l_J{p(coi)}  and 
trivially  LJfpfcOi)}  cp(co).  So  p(co)=lJ{p(a)i)}  and  p  is  continuous. 

□ 

At  this  point  we  are  ready  to  define  the  corresponding  projection 
mapping  to  F  -*  G[f ,  e  f2] . 

Proposition  3.7 

Let  F:Df-*  SCOTT,  G:Dg-»  SCOTT  be  two  functors,  st.  for  all 
dj  c dj  in  DG ,  G[d,  Ed^J  is  a  lower  embedding.  For  the  functor  F  -*  G 


and  for  any  fkcf,  in  [DF-*DG],  F-*G[fkcf,]  is  also  a  lower 
embedding. 

Proof 

First  we  show  that  for  any  rieF-**G°f,  the  set 
Q :={<(>€ F  -•*  G°fkl  F  -*  G[fkcf,](<J>)cri}  has  a  maximum  element.  For 
every  deDF  the  set  {<j>(d)  I F  -»  G[fkcf,](<t>)cri}  is  bounded  by  the 
function  G[fk(d)cf,(d)]R°ri(d).  Because  F[d]-»G[d]  is  bounded 
complete  we  have  a  lub  for  the  set  {<j>(d)  I F  -»>  G[fkcf,](<j))cri}.  All 
GfdjCdj]  are  embeddings  and  thus  preserve  arbitrary  lubs. 
Therefore  we  can  define  the  natural  transformation  (J>*  as 
^(dJ^LH^dJIF-^GlfkC^K^Eri}.  The  diagrams  obviously 
commute  and  F  -*  G[fk  c  f,J(<t>*)  crj . 

Now  we  can  define  the  corresponding  projection  mapping 
F-*G[fkef,]R:=  U{<j>eF-i*G°fkl  F-*G[fkEf,](<j>)Eri}.  Obviously 
(F  -*  G[fkcf,]R)°(F  -*•  G[fkcf,])=idF-.Gofk  and 

(F  -*  G[fkcf,])°(F  —  G[fk£f,}R)cidF^Ccfi.  It  is  clear  that  F  ->  G[fkcf,]R 
is  monotone.  From  Lemma  3.6  we  can  conclude  that  F  -*  G[fkcf,] 
is  an  embedding.  Together  with  Lemma  3.5  we  get  that  F  -*•  G[fk  c  f,] 
is  a  lower  embedding. 

□ 

Now  we  are  ready  to  define  the  category  FuncA. 

Definition  3.8 

A  functor  F:Df  -»  CPOx  is  called  a  A-functor  if  F[d]  e  SCOTT  for 
all  deDF  and  F[dk£d,]  is  a  lower  embedding  for  all  dkGd,eDF. 
We  also  require  that  F[±]={1}. 

Definition  3.9 

The  category  FuncA  has  as  objects  A-functors.  Morphisms  in  FuncA 
and  operations  +,x,l,  -♦  on  FuncA  are  defined  as  in  the  case  of 

FunCcpo . 


I 
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Another  interesting  question  is  if  we  can  restrict  FuncA  only  to 
functors  which  preserve  directed  colimits  (lubs  of  directed  sets). 
Under  these  conditions  if  we  assume  that  DF  and  DG  are  both 
Scott-domains  then  any  natural  transformation  rjeF-^G  is 
uniquely  determined  by  the  set  of  functions 
~*G[aj  laeK(DF)}.  Also  given  a  set  of  functions 
{<J»a : F[a]  -*G[a]  laeK(DF)},  st.  the  corresponding  diagrams 
commute,  G[acb]°4>a=<j)boF[acb]  for  all  a,b  eK(DF),  we  can  always 
complete  this  set  (in  a  unique  way)  into  a  natural  transforma 
4>:F G.  Again  we  have  to  check  if  this  new  FuncA  is  clo.\ 
under  -*  .  A  related  problem  is  the  preservation  of  colimits  on 
function  spaces.  Given  a  functor  F:Df-*CPO  with  the  colimit 
(F[i]  -k*  X)ieD  for  any  cpo  Y  we  can  construct  the  functor 
Fy:Df-*CPO  where  FY[d] :  =Y  -*  F[d]  and 
F[d,  cd  J :  =kf.F[d, c d2]°f .  We  may  expect  now  that  the  cpo  [Y  -*  X] 
is  the  colimit  for  FY,  but  this  is  not  the  case  in  general.  In  this 
special  case  [Y  -*  X]  is  the  colimit  if  DF  is  directed  and  all  f,'s  are 
embeddings.  But  in  the  case  of  A-functors  and  the  -*■  operation 
on  FuncA  the  result  is  negative. 

Example  3.10 

We  define  the  functor  FB  :B  -*  CPOx  as  : 


I 
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The  functor  FB  -*Fb:[B-*B]  -*CPOx  with  FB-*FB[f]=FB  -**FB°f 
maps  functions  in  [B  -*  B]  into  epos  of  natural  transformations. 
Next  we  define  the  functions  f(  :B  -*  B  as  £;(!)=!,  fj(ns)=ns,  ff(k)=ns 
for  ke[l,...,i}  and  fj(k)=l  for  ke[i+l,...}.  Obviously  fjC fi+1  and 
LjffjHXx.ns.  In  all  the  epos  FB-**  FB°fj  we  have  only  one  natural 
transformation  r}1  with  (r]x)n=Xx.l.  But  in  FB  -**FB°(lJ{fj})  there 
are  two  natural  transformations  r)x  and  r\T  with  (iqT)n=id.  So 
Fb  -*■  FB[Lf{fj}]  is  not  the  colimit  of  the  epos  FB  -*■  FB[fJ . 
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Abstract 

Many  programming  languages  can  be  studied  by  desugaring  them  into 
an  intermediate  language,  namely,  the  simply-typed  A-  calculus.  In  this 
manner  Landin  and  Tennent  discovered  a  “correspondence”  between  the 
semantics  of  definition  bindings  and  parameter  bindings  such  that  the  se¬ 
mantics  of  free  identifiers  becomes  independent  of  their  mode  of  definition. 

In  this  paper  we  consider  programming  languages  with  modules  and  we 
desugar  modules  into  records.  A  categorical  model  for  the  simply- typed 
A-  calculus  with  records  is  then  freely  generated.  The  record  construction 
becomes  a  tensor  product,  the  lambda  abstraction  construction  becomes  a 
function  space,  and  if  the  language  satisfies  the  correspondence  principle, 
then  the  categorical  exponentiation  diagram  commutes.  A  converse  result 
is  also  proved.  The  framework  for  defining  the  model  is  of  interest  because 
it  defines  a  hierarchy  of  call-by-value  A-calculi,  of  which  call-by-name  is 
the  weakest  form  of  call-by-value  calculus. 

Applications  to  compiling  are  given. 


1  Introduction 

In  his  seminal  paper  on  the  next  700  programming  languages  [9],  Landin  sug¬ 
gested  that  a  programming  language  might  satisfy  a  correspondence  in  the  se¬ 
mantics  of  its  definition  and  parameter  constructions.  That  is,  the  semantics  of 
binding  a  body,  U,  to  a  name,  i,  as  seen  in: 

define  i  *  U  in  V 

should  be  the  same  as  that  of  binding  an  actual  parameter,  U,  to  a  formal  pa¬ 
rameter,  i,  as  seen  in: 

define  j(i)  *  V  in  call  j(U) 

where  j  is  fresh. 

“Manhattan,  Kansas  66506,  USA.  Part  of  this  work  was  supported  by  NSF  under  grant 
CCR^9102625. 
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Tennent  [23]  titled  this  the  correspondence  principle  and  suggested  that  it  be 
used  as  a  design  guide  for  programming  languages.  The  primary  benefit  from 
the  correspondence  principle  is  that  a  program  phrase  containing  free  identifiers 
can  be  understood  without  concern  as  to  whether  the  identifiers  were  bound 
by  definitions  or  parameters.  For  example,  ...  A  ...  means  the  same  whether  it 
appears  in: 

define  A  »  4  in  ...A _ 


or  in: 


define  G(A)  - _ A _ in  G(4) 

1.1  Correspondence  in  higher  order,  modular  languages 

The  importance  of  the  correspondence  principle  increases  when  a  programming 
language  is  higher-order,  that  is,  abstractions  can  be  arguments  and  results  of 
other  abstractions.  Consider  the  following  example: 

function  g (a)  -  (function  f(b)  *  ...a...b...  in  return  f) 

A  call  to  g(somevalue)  returns  f  with  a  binding  to  a.  The  semantics  of  f  is 
explained  as:  define  a  ”  sonevalue  in  function  f  (b)  *  . .  .a. .  .b. . ..  For  this 
explanation  to  make  sense,  correspondence  must  hold. 

Finally,  languages  with  modules  need  correspondence  to  ensure  proper  be¬ 
havior:  a  module,  in  the  sense  of  Ada  and  Standard  ML,  is  a  set  of  definitions. 
Modules  can  be  built  hierarchically,  one  module  importing  another  (c/.  SML’s 
“functors”  [11,  12]): 

nodule  n  »  (define  i  ■  something) 

in  nodule  n(x)  **  (use  x;  define  j  ■ _ i...) 

in  . . .use  n(n) . . . 

or  they  can  be  written  “fla„” : 

nodule  n  =  (define  i  -  something;  define  j  =  ...i...) 
in  . . .use  n _ 

Correspondence  ensures  that  the  semantics  of  a  hierarchical  module  equals  the 
semantics  of  a  flat  one  with  the  same  set  of  definitions.  For  example,  if  the 
“something”  in  the  above  example  was  a  looping  expression,  and  module  param¬ 
eters  like  n  were  evaluated  eagerly  but  module  importations  like  use  n  were  done 
lazily,  then  hierarchical  module  construction  would  be  a  futile  endeavor. 

1.2  This  paper 

We  show  that  Landin’s  correspondence  principle,  as  it  arises  in  the  above  exam¬ 
ples,  can  be  formalized  in  Category  Theory:  a  language’s  definition  construct 
defines  a  tensor  product  construction,  its  parameter  construct  defines  a  function 
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space  construction,  and  correspondence  ensures  that  the  exponentiation  diagram 
commutes.  That  is,  the  category  freely  generated  by  a  programming  language 
with  correspondence  has  an  associative,  commutative  tensor  product  (with  a 
unit)  and  it  has  weak  categorical  exponentiation  (the  fill-in  morphism  might  not 
be  unique).  Hence,  it  is  a  symmetric  monoidal  weakly  closed  category.  The  sig¬ 
nificance  is  that  the  tensor  product  ensures  that  sets  of  bindings  (i.e.,  modules) 
behave  like  sets,  and  exponentiation  ensures  that  definition  bindings  behave  like 
parameter  bindings.  Both  properties  are  crucial  to  properly  designed,  modular, 
higher-order  programming  languages.  We  also  show  a  converse  result:  if  the  se¬ 
mantics  of  a  programming  language  fits  a  “usual”  format,  weak  exponentiation 
in  the  model  implies  correspondence. 

In  this  way,  a  fundamental  intuitive  programming  language  criterion  is  char¬ 
acterized  as  a  fundamental  categorical  one.  This  fits  within  Reynolds’  program 
of  “Semantics  ...  [as]  applied  mathematics;  it  seeks  profound  definitions  rather 
than  difficult  theorems  ...  the  application  of  such  concepts  directly  reveals  reg¬ 
ularity  in  linguistic  behaviour  and  strengthens  and  objectifies  our  intuitions  of 
simplicity  and  uniformity.”  ([25],  page  3). 

A  programming  language  with  correspondence  can  use  call-by-name  or  call- 
by- value  binding,  so  the  framework  for  our  proof  must  accommodate  both.  For 
this  reason,  we  prove  the  result  for  a  hierarchy  of  call-by-value  A-calculi,  of  which 
call-by-name  is  the  weakest  call-by-value  calculus.  In  this  light,  our  result  can  be 
viewed  as  a  generalization  of  the  cartesian  closedness  of  models  for  call-by-name, 
simply-typed  A-calculus  [7]  to  monoidal  closedness  for  call-by-value  A-calculi. 
Our  result  also  reveals  that  the  reason  why  categorical  exponentiation  holds  is 
because  the  form  of  binding  defined  by  a  product  construction  corresponds  with 
the  form  of  binding  defined  by  the  function  space  construction. 

In  the  rest  of  this  paper,  we  define  our  metalanguage,  outline  the  proof  of 
the  correspondence  theorem,  and  state  an  application  to  compiling. 

2  The  Metalanguage 

One  way  to  obtain  correspondence  is  to  force  it  upon  a  language.  Landin  [8], 
Reynolds  [18,  19],  and  Tennent  [23,  24]  observed  that  correspondence  must  hold 
if  both  definition  binding  and  parameter  binding  are  desugared  purely  into  A- 
abstractions: 

define  i  =  U  in  V  desugars  to  (Ai.V)U 

define  j(i)  *  V  in  j(U)  desugars  to  define  j  *  Ai.V  in  j (U)  which 

desugars  to  (A  i .  V)  U,  when  A  i .  V  is  copied  for  j 

Thus,  the  semantics  of  A-abstraction  —  whether  it  be  call-by-name  or  call- 
by-value  semantics  —  defines  the  semantics  of  both  definition  and  parameter 
binding.  An  example  like: 

(1)  const  k  ■  0,  alias  x  *  locationl 

in  procedure  p(y:int)  ■  x:  =  8x+y 
in  x:*  k;  p(k) 


590 


is  desugared  into: 

((Xt:int.Xx:intloc.(Xp:int  — *  comm.x  :■  k:  (p  k))(Ay:mt.x  :=  «x+y)0)locationl 

We  work  with  statically  typed  languages.  For  simplicity,  we  use  alias  defi¬ 
nitions  here  rather  them  var  declarations.  A  var  declaration  is  a  binding  of  an 
identifier  to  a  location  with  the  side  effect  of  allocating  the  location  in  storage. 
One  might  desugar  var  x:intloc  in  e  by  new(Ax  :  intloc.  e),  where  new  is  a  stor¬ 
age  allocation  operator  [4,  13,  14,  19].  Also,  the  •  symbol  denotes  dereferencing. 
Notice  that  compound  declarations,  like  const  k  *  0,  alias  x  -  locationl,  are 
desugared  into  curried  bindings. 

Since  the  desugaring  pattern  is  regular  and  simple,  Tennent  [23]  derived  an 
abstraction  principle,  stating  that  a  definition  construction  ( e.g .,  constant,  alias, 
function,  procedure,  module,  ...)  can  be  introduced  for  each  of  a  language’s  syn¬ 
tax  domains  (e.g.,  numerals,  locations,  expressions,  commands,  declarations,  ...). 
Each  definition  construct  is  desugared  into  a  A-abstraction.  Similarly,  Schmidt 
[22]  proposed  a  parameterization  principle,  stating  that  parameter  constructions 
(e.g.,  numeral  parameters,  location  parameters,  expression  parameters,  com¬ 
mand  parameters,  declaration  parameters,  ...)  can  be  introduced  for  each  of  a 
language’s  syntax  domains.  Again,  each  formal  parameter  construct  is  desug¬ 
ared  into  a  A-abstraction.  Properly  applied,  the  two  principles  extend  systemati¬ 
cally  a  core  programming  language  into  a  language  for  programming  in-the-large 
[1,  21,  24,  26]. 

2.1  The  need  for  records 

Desugaring  both  definitions  and  parameters  into  purely  A-abstractions  confuses 
definitions  with  parameters,  which  is  problematic  when  a  Pascal-like  language  is 
studied.  Indeed,  for  the  correspondence  principle  to  be  of  value  as  a  language  de¬ 
sign  criterion,  it  must  be  possible  for  it  to  fail.  More  importantly,  the  desugaring 
of  Ada/Standard  ML-style  modules,  which  are  sets  of  bindings,  as  in: 

(2)  begin  nodule  ■  -  (const  k  ”  0,  alias  x  =  locationl) 

in  begin  use  u,  function  f (a: integer)  ■  a  +  2 
in  x  k  +  f(€x)  end  end 

can  not  be  modelled  easily  by  simply-typed  A-abstractions  if  at  all.  The  prob¬ 
lem  is  that  modules  are  “packages  of  bindings,”  which  are  not  A-abstraction-like. 
For  these  reasons,  we  will  maintain  the  integrity  of  definitions  and  parameters 
by  desugaring  them  into  records  and  A-abstractions,  respectively.  The  meta¬ 
language  we  use  is  defined  in  Figure  1.  The  metalanguage  is  reminiscent  of 
the  one  in  Lambek  and  Scott  [7]  in  its  extension  of  the  simply-typed  A-calculus 
by  a  product  construction,  but  here  we  use  records  rather  than  tuples.  Unlike 
Lambek  and  Scott’s  construction,  however,  the  records  are  motivated  by  the 
pragmatic  reasons  stated  above,  not  by  an  explicit  desire  to  discover  cartesian 
closedness. 
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r  G  Type-expression 

t  G  Primitive-type  (for  core  language  constructs) 

T  G  Type- assignment 
e  G  Expression 
i  G  Identifier 

op  G  Core-language-operator 
r  ::=  t  |  n  -n*  |  t 

tc  ::=  {i :  r,}jg/,  where  I  is  a  finite  set  of  distinct  identifiers 
e  ::=  i  |  A  i:r.e  |  (ei  e2)  |  op(e  |  {i  =  e}  |  with  e\  do  e  2  |  ei,e2 


tv  h  i :  r  where  (» :  r)  G  x 


ir  +  (» :  n)  h  e  :  r2 
x  h  A  i :  T\ .  t  :  T\  — ►  r2 


xh  ei  :  n-*T2  x  h  e2  :  n 


5r  I-  (ej  e2)  :  r2 

x  h  e\  :  n  . . .  x  h  en  :  tn 
x  h  op(ei,  en) :  t 


Their 


t  h  {»  =  e}  :  {*  :  r} 

- »  +  (l,=  n)  +  .;±iki»-.)±«UZ:  where  I  =  . ■„} 

tv  h  with  ei  do  e2  :  r 

The,:{i;nW  ’>'■  IJ-fe  where/njwd 
it  h  ei,e2  :  {*  : 


Note:  x  +  (i :  r)  =  (x  —  {(i :  r')|(* :  r')  G  x})  U  {i :  r} 

{ii  =  ei ,  i2  =  e2 . in  =  en  }  abbreviates 

{*1  =  ci}i  {*2  =  e2},  {in  =  e„} 

Figure  I:  Meta-language 


By  convention,  we  refer  to  that  part  of  the  programming  language  consisting 
of  primitive  arithmetic,  logical,  and  storage  operators  as  the  language’s  core;  in 
Figure  1,  op(ej,  ...,  e„)  represents  those  operators.  Definitions  and  parameters 
are  extensions  to  the  core.  Definitions  are  modelled  by  records,  which  are  sets  of 
identifier-expression  bindings  [2]:  {f  =  e}  is  a  one  field  record,  ci,e2  is  record 
append,  and  with  e\  do  e2  makes  visible  to  e2  the  bindings  in  e\.  The  example 
programs  (1)  and  (2)  stated  above  are  desugared  respectively  into: 

with  {k  =  0,  x  =  location!.}  do 

with  {p  =  Ay  :  ini .  x  :  =  #x+y}  do 
x  k;  (p  k) 


and 
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with  {■  =  {k  =  0,  x  =  locationl}}  do 
with  a,  {i  =  A  a  :  int .  a  ♦  2}  do 
x  :»  k  +  (f  («  x)) 

This  makes  clear  that  binding  by  definitions,  as  modelled  by  records,  is  inherently 
different  from  binding  by  parameters,  as  handled  by  A-abstraction.  In  particu¬ 
lar,  modules  are  revealed  to  be  records,  and  importing  a  module  is  achieved  by 
a  with  expression. 

Records  are  product-like,  and  A-abstractions  are  exponentiation- like.  This 
leads  us  to  explore  their  categorical  relationship. 

3  The  Correspondence  Theorem 

3.1  Computation  Rules 

Say  that  a  programming  language  is  desugared  into  the  language  of  Figure  1. 
The  computation  rules  for  the  core  language  constructs  are  preserved,  but  the 
computation  rules  for  definition  and  parameter  binding  must  desugar  into  the 
computation  rules  for  application  and  with,  respectively.  In  a  call- by-name  cal¬ 
culus,  the  computation  rules  for  application  and  with  have  strikingly  similar 
forms: 

Definition  1  (Call- by-name  reduction) 

0-name:  ((Ai :  r  .ej)  e2)  >  [e2/j']ei 

p-name:  with  {ii  =  ei,  =  en)  do  e  >  [ei/n,  ...,  en/in]e 
where  [e\/i\,  ...,  e„/i„]e  is  parallel  substitution.1 

Both  treat  binding  as  substitution.  Indeed,  the  semantics  of  the  two  forms  of 
binding  correspond  in  Landin’s  sense.  In  a  call-by-value  language,  the  compu¬ 
tation  rules  correspond  again:2 

Definition  2  (Call-by-value  reduction) 

0-value:  ((At  :  r.ei)  e2)  >  [e2/*]ei,  where  e2  is  a  value 

p-value:  with  {h  =  eu  in  =  e„}  doe  >  [ej/t!,  ...,  en/in]e, 

where  ei,  ...,  en  are  values  and  the  notion  of  value  is  predefined,  e.g.,  [17]. 

But  say  that  the  language  uses  a  0-na.me  rule  and  a  p-value  rule — correspondence 
fails. 

*The  definition  of  parallel  substitution  is  the  usual  one,  but  note  that: 

[e</«]>€/(u,,<*  el  do  e2)  =  with  [e./tJ.g/ej  do  ([e*/i]ie/_  j)e2 

where  ir  1-  ei  :  {]  :  and  j  is  [ei/*]ig/  less  those  substitutions  ej/j,  where 

j  €  J-  This  demands  that  we  work  only  with  well- typed  programs  and  computation  rules  that 
preserve  typing. 

2  Rather  than  view  call-by- value  reduction  as  the  application  of  the  call-by-namc  /3p- rules 
with  a  fixed  reduction  strategy,  we  follow  [17]  and  restrict  the  /3p- rules.  This  leads  to  a  pleasant 
equational  theory. 
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Correspondence  is  aesthetically  pleasing,  but  there  is  also  theoretical  justi¬ 
fication  for  it:  when  it  holds,  regardless  of  the  binding  strategy  employed,  the 
category  freely  generated  from  the  programming  language  and  its  computation 
rules  is  a  symmetric  monoidal  weakly  closed  category,  that  is,  the  category  has 
an  a  sociative,  commutative  tensor  product  (with  unit)  and  it  has  weak  expo¬ 
nentiation.  These  categorical  properties  formally  ensure  that  records  behave 
correctly  (order  of  construction  of  subrecords  and  order  of  fields  are  unimpor¬ 
tant)  and  A-abstractions  behave  correctly  (parameter  binding  is  the  same  as 
definition  binding). 

3.2  The  Value  set 

Let  us  now  summarize  the  proof  of  the  “correspondence  theorem”  stated  in  the 
previous  paragraph.  We  begin  by  assuming  that  the  correspondence  principle 
is  characterized  by  the  (Up-  value  computation  rules  of  Definition  2,  where  the 
notion  of  “value”  can  be  varied,  depending  on  the  desired  binding  strategy.  For 
example,  in  the  call-by-name  calculus,  all  expressions  are  values.  In  a  call-by- 
value  calculus,  only  some  proper  subset  of  the  expressions  are  values. 

The  set  of  expressions  termed  as  “values”  must  satisfy  the  following  condi¬ 
tions: 

Definitions  (Value)  Let  Value  C  Expression;  Value  is  well-defined  if  the 
following  conditions  hold: 

(i)  for  all  e  €  Expression,  \i  :  r  .e  £  Value; 

(ii)  for  all  ej  £  Expression,  1  <  i  <  n 

if  all  e,-  £  Value,  then  {ij  =  e\,  ...,  in  =  e„}  £  Value; 

(iii)  if  e  £  Value,  then  for  all  visible  subexpressions,  e'  wilhin  e,  e'  £  Value.  (A 
subexpression,  e' ,  within  e,  is  visible  if  it  is  not  contained  inside  eo  of  some 
(A  i  :  r  .eo)  and  it  is  not  contained  inside  e 2  of  some  ( with  ej  do  e 2).) 

The  intuition  behind  Definition  3  goes  as  follows.  All  call-by-value  calculi  treat 
A-abstractions  as  closures,  hence  Clause  (i).  If  an  expression,  e,  is  a  value,  then 
packaging  it  inside  a  record,  {i  =  e},  should  preserve  its  value-ness,  hence  Clause 
(ii).  Clause  (iii)  is  the  converse,  generalized,  of  Clause  (ii). 

We  say  that  an  expression,  e,  is  a  value  if  e  €  Value ;  e  has  a  value  if 
e  =  e'  and  e'  is  a  value;  else  e  has  no  value.  (  e  =  e'  means  that  e  is  con¬ 
vertible  to  e'  by  the  computation  rules,  >.)  Also,  we  assume  that  the  com¬ 
putation  rules  for  the  core  language  operators  have  the  form:  op(ei,  ...,  en)  t> 
e,  where  ei,  ...,  en  are  values.  Given  the  above  terminology,  we  add  this  last 
clause  to  Definition  3: 

(iv)  if  7r  h  e  :  {»  :  T»}je/  and  e  has  a  value,  then,  for  all  i  £  I,  e  [  i  has  a  value, 
(e  |  i  abbreviates  (with  e  do  i)). 

This  clause,  a  minor  addition,  is  needed  to  gain  the  main  result. 


For  (closed)  expressions  t\  and  e2,  such  that  V  e\  :  r  and  h  e2  :  r,  ei  «  e2  iff 
ei  «T  e2,  where:  t\  «T  e2  if  ex  and  e2  have  no  value,  or  else: 

ei  ss,  e2  if  ej  and  e2  have  values,  and  e\  =  e2 

ej  e2  if  ex  and  e2  have  values,  and  for  all  a  and  b  such  that  a  ssT]  6, 

(ex  a)  «TJ  (e2  6) 

ei  W{,:n}i€/  e2  if  ex  and  e2  have  values,  and  for  all  i  £  I,  e\  [  i  ssT>  e2  j  i, 
Figure  2:  Equivalence  relation 

When  aU  the  well-defined  Value  sets  for  Expression  are  ordered  by  subset 
inclusion,  they  form  a  complete  lattice,  where  the  bottom  element  is  formed  by 
the  inductive  closure  over  clauses  (i)  and  (ii)  (this  is  the  usual  call-by-value  cal¬ 
culus,  except  that  no  core  language  expressions  are  values),  and  the  top  element 
is  Expression  itself  (this  is  the  usual  call-by-name  calculus).  From  here  on,  we 
work  with  only  those  A-calculi  whose  Value  sets  are  well-defined. 

3.3  The  equivalence  relation  and  category 

Our  intention  is  to  freely  generate  a  category,  C,  from  the  language  in  Figure 
1.  (We  assume  acquaintance  with  elementary  category  theory  [16].)  The  tech¬ 
nique  resembles  that  of  Lambek  and  Scott  [7]:  objects  of  C  are  the  elements  of 
Type-expression;  morphisms  in  hom(ri,  r2)  are  equivalence  classes  of  (closed) 
A-abstractions,  Ai  :  ri . e,  where  I-  At  :  Ti  .e  :  tx  — >r2  holds,  with  respect  to  the 
equivalence  relation,  «,  defined  in  Figure  2. 

For  open  terms,  7r  I-  ex  :  r  and  n  h  e2  :  r,  ex  e2  iff  for  all  (i  :  r,)  £  n, 
for  all  b  a,-  :  r,-  and  h  bt  :  Ti  such  that  Oj  wT,  6j,  [a,/i)e\  ssT  [6,/i]e2,  that  is, 
substitution  of  equivalent  closed  terms  for  free  variables  yields  equivalent  closed 
terms. 

Proposition  1 

For  ir  h  ex  :  r  and  x  I ~  e2  :  r, 

(i)  is  an  equivalence  relation; 

(ii)  ex  =  e2  implies  ex  e2(- 

(iii)  a  b  and  ex  e2  imply  \a/x\e\  [6/i]e2,  where  it'  — 

tt-  {x  :  t'}; 

(iv)  A  x  :  r' .  ex  A  y  :  t'  .  [y/x]e x,  where  ir'  =  ir  -  {x  :  r'}; 

(v)  if  e  has  a  value ,  then  so  do  all  its  visible  subexpressions; 


595 


The  proofs  are  routine,  although  clauses  (i)  and  (ii)  must  be  proved  simultane 
ously:  e  as'  e  with  (ej  =  e2  implies  t\  ss*  e2).  Proposition  1  implies: 

((A »  :  r .  e)  e')  ss*  with  {i  =  e'}  do  e 

which  is  the  traditional  statement  of  correspondence. 

For  convenience,  we  write  a  morphism,  [Ai  :  n  .  e]ss  €  homfa,  r2),  as  just 
At  :  ti  .e.  For  an  object,  r,  the  identity  morphism,  idT,  is  Ai  :  r . i.  For  mor- 
phisms  /  =  (Ati  :  rx .  ei)  €  Aom(ri,  r2)  and  g  =  (A *2  :  r2  ,e2)  €  Aom(r2,  r3), 
their  composition,  g  o  /  G  — *t3,  is  A  :  n  .  ((A  i2  :  r2  .  e2)  ei).  With  Proposi¬ 
tion  1  in  hand,  we  can  prove  that  these  definitions  give  a  category. 

3.4  Correspondence  implies  exponentiation 

The  next,  natural,  step  is  to  try  to  show  that  the  category  has  a  categorical 
product,  T\  x  r2  =  {fst  :  rlt  snd  :  r2};  where  =  A i  :  {fst  :  rj,  snd  :  r2}  .i  J.  j , 
for  j  G  {fst,  snd}\  and  (/,  g)  =  At  :  t  .{fst  =  (/ 1),  snd  =  {g  i)}.  But  the 
projection  laws  fail  in  the  case  when  there  is  a  phrase  in  the  language  that  has 
no  value.  For  example,  let  /  =  A  *  :  int .  0,  g  =  A  y  :  int .  ft,  and  say  that  0  is  a 
value  but  ft  has  no  value.  Then,  irfst  o  {/,  g)  $  f  3  Instead,  we  define  a  tensor 
product: 


n  ®  r2  =  {fst  :  n,  snd  :  r2} 

f®g  =  Ai  :  tx  <8>  r3  .  {/s<  =  /(i  {fst),  snd  -  g(i  j  snd)} 
for  /  G  n  — >r2,  g  G  r3->r4 
Proposition  2  ®  is  a  bifunctor  on  C. 

Next,  we  define  the  families  of  functions: 

aTi  r3r3  :  (ti  ®  (r2  (g)  r3))  -*•  ((n  ®  r2)  ®  r3) 

Cnr3  :  (n  <g>  r2)  -*•  (r2  ®  r;) 

for  all  ri,  r2,  r3  and  show  that  they  are  natural  isomorphisms.  If  desired,  a  new 
type  expression,  {},  can  be  added  to  the  language,  and  t  h  ()  :  {}  can  be  stated 
as  a  new  axiom.  The  natural  isomorphism: 

iT  '■  ({}  ®  r)— >r 

completes  the  collection:  0  is  associative,  commutative,  has  a  unit,  and  satisfies 
the  MacLane- Kelly  coherence  conditions  [10],  hence  C  is  a  symmetric  monoidal 
category. 

3  Recall  that  all  phrases  -  even  Q  -  in  a  call-by-name  calculus  are  values,  so  {fst  :  t\  ,  snd  :  rj) 
is  categorical  product  in  this  case. 
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The  final  step  is  the  validation  that  C  is  closed,  that  is,  it  has  categorical 
exponentiation.  With  the  obvious  definitions: 

n=>r2  =  n->r2 

apply  =  A  i  :  {fst  :  T\  =>t2 ,  snd  :  n}  .  ((j  J.  fst)  (i  |  snd)) 

closure(f)  =  A  »i  :  T\ .  A i2  ■  r2  .  f{fst  =  ii ,  snd  =  i2}, 

V /  :  {fst  :  T\ ,  snd  :  r2}  — ♦  r3 

we  can  show  the  commutativity  of  the  exponentiation  diagram: 

/  fa  apply  °  (closure(f)  ®  id)  (1) 

for  all  /  €  hom(Ti,T2).  This  gives  us  weak  exponentiation. 

Theorem  1  The  category  freely  generated  by  Figures  1  and  2  is  a  symmetric 
monoidal  weakly  closed  category. 

We  use  the  term  “freely  generated”  in  the  theorem,  because  the  extensionality 
conditions  in  Figure  2  are  for  all  practical  purposes  necessary  to  make  morphism 
composition  associative  and  <g>  a  functor.  (Indeed,  we  could  formalize  the  pre¬ 
vious  remark  by  a  suitable  proof  of  initiality,  but  that  is  secondary  to  our  goals 
here). 

We  would  like  to  show  that  the  exponentiation  is  “strong,”  that  is,  the  choice 
of  closure(f)  is  unique.  But  this  can  fail  when  there  are  phrases  of  function  type 
that  have  no  value.  For  example,  say  that  there  is  a  family  of  phrases,  UT ,  for  all 
types  r,  and  no  fiT  has  a  value.  Then,  closure{\r  :  {fst  :  rn,  snd  :  t\2)  .  0Tj) 
could  be  either  (Aa  :  ru  .  A6 :  T\2 .  QT3)  or  (Aa  :  rn  .  firi3_T3),  but  (A6  : 
’'i2  fITa)  96  SlTla_r;j ,  since  the  former  has  a  value  and  the  latter  does  not.  If 
all  phrases  of  function  type  have  values,  however,  strong  exponentiation  holds. 
This  is  the  case  in  the  call-by-name  calculus,  and  also  in  those  call-by-value 
calculi  that  possess  a  lifting  type,  (r)j_ ,  where  _L  represents  those  phrases  that 
have  no  value.  Then,  h  0T,_r,  :  {t\  — ►  t2)l 

3.5  Exponentiation  implies  correspondence 

Under  restrictive  conditions,  the  existence  of  weak  exponentiation  in  a  lan¬ 
guage’s  semantics  definition  implies  that  correspondence  holds.  Say  that  the 
category  underlying  the  semantics  definition  has  the  weak  exponentiation  prop¬ 
erty  as  in  Figure  3.  That  is,  ei  fa  apply  o  (closure(ei)  ®  id).  The  usual 
reading  of  the  property  is  that  ex  can  be  given  one  of  its  inputs  (the  one 
of  type  n)  and  then  be  packaged  into  a  closure.  When  the  closure  is  un¬ 
packaged  and  applied  to  its  other  input,  the  result  is  exactly  the  same  as 
ex  applied  to  both  its  inputs.  Now  suppose  that  a  programming  language  is 
written  in  desugared  form  and  its  semantics  matches  the  pattern  in  Figure  4. 
Then  the  reading  that  is  appropriate  to  Figure  3  goes  as  follows:  ej  is  a  code 
fragment  that  requires  definitions  of  it-  and  r0-typed  .  xiues.  (x  denotes  the 
type  of  the  nonlocal  definitions;  ro  is  the  type  of  the  local  definition.)  Just 
the  x-definitions  can  be  supplied,  giving  a  code  fragment,  closure(ex),  which 


Assume  that  p  is  an  environment  compatible  with  it  [25]. 

[?r  b  A  i :  Tj .  e  :  rj  — ►  r2]p  =  closure^ n  +  (i  :  n)  b  e  :  r2]p 

[*■  b  (ei  e0)  :  r2]p  =  apply{fst  =  [ir  1-  a  :  n  -»  T2\p  ,  snd  =  [tt  b  e0  :  n]p} 

[*  b  {i  =  e}  :  {»  :  r}]p  =  {*  =  [n  b  e  :  rjp} 

[*  b  u>i<A  e0  do  ei  :  rjp  =  [x  +  (i :  To)  b  a  :  n\(p  ®  ([ir  b  e0  :  {»  :  r0 }]p)), 
where  ( p  ®  {i  =  «})  =  { fst  =  p  ,  snd  =  t>} 

[tt  b  i :  r]p  =  p(deBruijn-index-of(»)) 

Figure  4:  Environment  Semantics 


requires  a  To-typed  parameter.  When  the  parameter  is  supplied,  the  result 
is  the  same  as  ej  with  all  its  definitions  for  7r  and  r0.  Figure  3  tells  us: 
[ir  b  with  {i  =  e0}  do  ei  :  r2]p  =  [t  b  ((Aa  :  Ti .  ei)  eo) :  T2]p.  Since  the  seman¬ 
tics  in  Figure  4  preserves  meaning  under  substitution:  [tt  b  [ei/i]e2  :  r2]p  = 
\ir  -b  (*  :  tj)  b  e2  :  r2](p  ®  (i  =  [ir  b  e\  :  njp)),  for  ei  6  Value,  then  we  imme¬ 
diately  derive  the  soundness  of  the  /?-val  and  the  p-val  reduction  rules  -  corre¬ 
spondence  holds.  The  format  in  Figure  4  matches  that  used  for  lazy  imperative 
languages  and  functional  languages.  Of  course,  a  programming  language  can 
have  correspondence  even  if  its  semantics  does  not  match  the  format  in  the 
figure. 


3.6  Extensions 

Say  there  is  a  phrase,  Qt,  of  primitive  type  that  has  no  value.  This  implies  that 
phrases  without  value  exist  for  all  types  r:  0T  is  ((A a  :  i  .eo)  0t),  for  a  closed 
phrase,  eo ,  of  type  r.  This  phenomenon  prevents  a  proof  of  categorical  product 
and  strong  exponentiation.  On  the  positive  side,  it  means  that  addition  of  higher 
order  constants,  like  fix,  do  not  impact  the  results  already  proved.  We  can  add 
a  family  of  binary  fix  operators,  with  the  computation  rule: 

fix  (i  :  r)  e  >  [(fix  ( i  :  t)  e)/»]e 


Although  our  proof  does  not  require  it,  in  practice,  the  definition  of  Value 


should  be  “monotonic”  with  respect  to  substitution  and  computation  in  the 
sense  that:  (i)  if  e\,  ej  G  Value ,  then  [ei/i]e2  G  Value ;  and  (ii)  if  e  6  Value  and 
e  t>  e',  then  e'  G  Value  as  well.  A  consequence  is  that,  if  the  computation  rules 
sire  orthogonal  [6],  the  rule  set  possesses  the  closure  property  and  is  confluent 
[5,6,15]. 

Finally,  the  computation  rules  we  use  can  be  restricted  so  that  they  perform 
weak  reduction,  that  is,  an  expression  is  a  redex  it  if  is  visible  and  it  matches  the 
left-hand  side  of  a  computation  rule.  The  proofs  of  the  previous  results  carry 
through  unaltered,  since  the  reasoning  in  the  proofs  is  extensional  in  nature. 
(But  note  that  the  previous  remarks  regarding  confluence  do  not  hold  [3].) 

4  Applications  to  Compiling 

The  obvious  impact  of  correspondence  on  an  implementation  of  a  programming 
language  is  that  the  same  implementation  of  binding  can  be  used  for  both  defini¬ 
tions  and  parameters.  But  the  framework  used  to  produce  the  results  in  Section 
3  is  of  significance  in  itself  because  Definition  3  and  the  /3p- value  rules  provide 
a  natural  style  of  compilation  of  a  program.  The  idea  is  simple  but  important, 
because  virtually  all  compilers  exploit  it:  the  binding  of  an  identifier,  i,  to  an 
expression,  e  €  Value,  can  be  performed  at  compile-time.  Indeed,  this  activ¬ 
ity  might  be  considered  the  essence  of  compiling  [20,  27].  Here  is  an  initial, 
significant  example:  regardless  of  a  language’s  binding  strategy,  a  collection  of 
declarations  of  parameterized  subroutines  can  be  processed  at  compile-time  be¬ 
cause  they  form  a  record  of  A-abstractions,  which  must  be  a  value,  by  Definition 
3.  For  example,  regardless  of  binding  strategy,  the  code  segment: 

begin  nodule  ■  •  {  procedure  p(a:int)  «  x  :=  a  } 
in  begin  use  ■,  function  f(b:int)  «  b  +  2 
in  call  p(f(Cx))  end  end 

which  desugars  to: 

with  {m  =  {p  =  A  a  :  inf .  x  :=  a}}  do 

with  m,  {f  =  \  b  :  int  ,b  +  2}  do  ( p  (/  (@  x))) 
can  be  evaluated  by  a  compiler  to:  ((A a  :  int . x  :=  a)  ((A b  :  int  .b  +  2)  (@  x))). 
This  matches  the  usual  compile-time  processing.  (Of  course,  a  compiler  copies 
addresses  to  the  code  for  p  and  f,  rather  than  the  code  itself.  If  a  compiler  is 
given  additional  information,  e.g.,  that  numerals  are  values,  then  definitions  like 
const  a  «  2  can  also  be  evaluated  at  compile-time. 

4.1  Commands  as  values 

If  commands  are  also  values,  then  unparameterized  procedures  can  be  evaluated 
at  compile-time,  as  in  the  following  example: 

begin  const  a  »  2 
in  begin  procedure  p  »  x  :*  f  +  a 
in  call  p;  call  p  end  end 


This  desugars  to:  with  {a  =  2}  do  with  {p  =  x  :=  f  +  a}  do  p;p  and  evaluates 
at  compile-time  to:  x  :=  /  +  2;  x  :=  /  +  2.  A  corresponding  example  with  a 
command  parameter  would  read: 

begin  const  a  »  2  in 

begin  procedure  p  -  (x  :■  1  +  a)  ,  procedure  q(r:com)  ■  (r;  r) 
in  call  q(call  p)  end  end 

This  desugars  to: 

with  {a  =  2}  do  with  {p  =  (x  :=  /  +  a),q  =  (Ar  :  coram.r;r)}  do  ( q  p) 

and  evaluates  at  compile-time  to  x  :=  /  +  2;  x  /  +  2  as  well.  Commands,  like 
x:-  f+a,  are  values  in  imperative-style  call-by-name  languages  like  Algol-60  as 
well  as  in  imperative-style  call-by-value  languages  like  Pascal.  The  latter  point 
is  often  overlooked  by  Pascal  programmers,  but  a  Pascal  compiler  is  well  aware 
of  it 

F unctional-style  call-by- value  languages  like  Scheme  and  SML  usually  disal¬ 
low  commands  as  values.  An  SML-like  program  fragment  such  as: 

begin  function  f (a: coin)  m  2  in  x:*  0;  f(x:*Cx+l)  end 

is  desugared  to  with  {/  =  Xa:  comm.  2}  do  x  0;  f(x  :=  @x  +  1)  and  is 
compile-time  evaluated  to  x  0;  (Aa  :  comm.  2)(x  :=  @x  +  1),  but  the  ac¬ 
tual  parameter,  which  is  not  a  value,  can  not  be  bound  to  the  formal  parameter 
until  run-time.  Only  when  the  run-time  storage  vector  is  available  can  the  com¬ 
mand  be  evaluated  to  a  value.  (In  SML,  the  resulting  “value”  is  ().)  Thus,  the 
compiler  must  generate  object  code  for  making  the  run-time  binding. 

4.2  Expressions  as  values 

A  related  situation  arises  with  arithmetic  expressions.  In  a  call-by-name  lan¬ 
guage,  all  expressions  are  values,  and  the  examples: 

begin  function  f  m  tx  +  1  in  x  :■  f  ;  x  :•  f  end 

begin  procedure  p(f:int)  ■  (x  f  ;  x  :«  f)  in  call  p(*x+l)  end 

both  compile  to  x  :=  @x  +  1;  x  :=  @x  +  1.  This  is  an  example  of  the 
classic  Algol-60  copy  rule  in  action.  In  contrast,  in  a  typical  call-by- value 
language,  numerals  are  values,  but  compound  arithmetic  expressions,  like 
@x  4-  1,  are  not.  The  best  a  compiler  can  do  with  the  previous  examples  is: 
with  {/  =  @x  +  1}  do  x  :=  /;  x  :=  /  and  (A/  :  int.  x  :=  f  ;  x  :=  /)(@x  +  1), 
respectively.  The  compiler  can  not  copy  the  body  of  /  for  its  invocations.  The 
reason  should  be  clear:  the  evaluation  of  fx+1  to  a  numeral  fixes  f’s  value  for 
all  its  subsequent  uses.  Since  «x+l  requires  the  run-time  store  for  its  evaluation, 
the  compiler  must  generate  object  code  to  evaluate  the  expression  and  bind  its 
result  into  (a  cell  for)  f . 

The  above  example  should  not  be  read  as  suggesting  necessarily  that  call-by¬ 
name  is  inherently  better  than  call-by-value,  but  it  is  different.  One  should  note 
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from  the  example,  however,  that  confusion  easily  arises  when  the  semantics  of 
expression  definitions  (i.e.,  functions)  does  not  correspond  to  the  semantics  of 
expression  parameters. 

A  compiler  that  folds  constants  can  evaluate  arithmetic  expressions  like  1+2 
to  values  like  3  and  copy  the  results  at  compile-time. 

4.3  Declarations  as  values 

Modules  are  declarations  that  are  records,  and  Clauses  (ii)  and  (iii)  of  Defini¬ 
tion  3  ensure  that  a  module  is  a  value  exactly  when  all  its  components  are.  The 
consequences  are  straightforward.  But  in  imperative  languages,  variable  decla¬ 
rations  in  modules  can  affect  sharing.  Say  that  a  declaration,  var  x,  is  desugared 
to  alias  x-  allocate,  where  allocate  needs  the  run-time  store  to  evaluate.  The 
sharing  of  variable  x  by  modules  n  and  p  in: 

begin  nodule  ■  »  {  var  x  >  , 

nodule  n(a:{x:intloc})  ■  begin  use  a  in 

{  procedure  p  •  x:«0  > 
end  , 

nodule  p(b:{x: intloc})  »  begin  use  b  in 

{  procedure  q  “  x : -Sx+1  } 
end 

in  use  n(n)  .  use  p(n) 
end 

is  directly  dependent  upon  whether  or  not  the  allocate  operation  is  a  value.  This 
example  makes  clear  why  compilers  typically  “evaluate”  allocate  to  a  relative 
address. 

5  Conclusion 

We  have  shown  the  importance  of  the  correspondence  principle  to  modular, 
higher-order  programming  languages,  and  we  have  validated  correspondence  by 
proving  it  is  weak  exponentiation  in  a  symmetric  monodial  closed  category.  A 
simple  perspective  to  the  main  result,  the  correspondence  theorem  (Theorem 
1),  is  that  the  theorem  is  the  natural  generalization  of  the  cartesian  closedness 
property  for  the  call-by-name  simply-typed  A-calculus  [7]  to  monoidal  closedness 
for  call-by- value  A-calculi.  But  it  is  only  because  of  the  correspondence  between 
product  and  function  space  that  the  generalization  is  possible.  The  variety  of 
correspondence  (i.e.,  which  variant  of  call-by-value)  is  unimportant — what  is 
important  is  the  correspondence  principle  itself. 
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Abstract 

In  this  paper  we  present  an  operational  semantics  for  the  language  TOOPLE,  a  statically- 
typed  functional  object-oriented  programming  language  which  has  a  number  of  desirable  proper¬ 
ties.  The  operational  semantics,  given  in  the  form  of  a  natural  semantics,  is  significantly  simpler 
than  the  previous  denotational  semantics  for  the  language.  A  “subject  reduction”  theorem  for 
the  natural  semantics  provides  a  proof  that  the  language  is  type-safe.  We  also  show  that  the 
natural  semantics  is  consistent  with  the  denotational  semantics  of  the  language. 

Computing  Review  categories:  D3.2  Object  Oriented  Languages,  F3.2  Operational  Semantics, 
F3.3  Type  structure. 

1  Introduction 

Object-oriented  languages  promise  to  provide  support  for  reusability  and  modularity  of 
program  code.  Reusability  is  achieved  by  inheritance,  which  allows  subclasses  to  be 
created  easily  from  classes,  and  by  subtyping,  which  allows  elements  of  a  subtype  to  be 
used  in  contexts  which  expect  elements  of  the  supertype.  Modularity  is  achieved  by  the 
encapsulation  of  methods,  which  gives  programs  independence  from  the  implementation 
details  of  the  classes  they  use. 

Static  typing  has  clear  advantages  for  programming  languages  as  long  as  it  does  not 
interfere  with  expressibility  in  the  language.  Unfortunately,  most  extant  statically-typed 
object-oriented  languages  are  either  type-unsafe  or  are  unduly  restrictive  in  the  programs 
accepted  by  the  type  checker.  For  example,  the  holes  in  the  type  system  for  Eiffel  are  well- 
known,  while  C++,  Object  Pascal,  and  Modula-3  are  unduly  restrictive  in  not  allowing 
changes  in  the  types  of  methods  in  subclasses  (derived  classes).  The  design  of  the  language 
TOOPLE1  (see  [Bru93a,  Bru93b])  represents  progress  in  solving  both  of  these  problems 
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•TOOPLE  is  a  minor  modification  of  TOOPL  (Typed  Object-Oriented  Programming  Language)  in 
which  class  terms  are  required  to  include  slightly  more  typing  information  as  part  of  their  syntax.  This 
change  was  necessary  in  order  to  provide  an  algorithm  for  type-checking  terms  and  ensure  that  each  term 
has  a  minimal  type. 


by  ensuring  type-safety  while  providing  greater  expressibility  than  other  statically-typed 
object-oriented  languages  which  are  type-safe.  The  introduction  to  [Bru93bj  includes  an 
extensive  comparison  with  other  statically- typed  object-oriented  programming  languages. 
We  simply  remark  here  that  a  key  to  the  combination  of  safety  and  greater  expressibility 
in  TOOPLE  is  the  separation  of  the  subclass  and  subtype  hierarchies,  as  suggested  in 
[CHC90]. 

An  important  design  goal  of  TOOPLE  was  to  provide  a  modular  type-checking  system 
for  the  language.  In  most  current  object-oriented  languages,  the  inheritance  mechanism 
creates  problems  for  the  type  checker.  While  a  program  that  merely  uses  a  class  can 
be  written  and  checked  independently  of  the  class  code  (assuming  that  an  interface  and 
corresponding  type  specification  are  given),  to  type  check  a  class  which  inherits  from 
another  class,  one  often  needs  to  go  back  and  repeat  the  process  of  type  checking  the 
bodies  of  inherited  methods  from  the  superclass.  This  is  necessary  in  order  to  ensure  that 
overriding  other  methods  from  the  superclass  (in  particular,  changing  their  types)  does 
not  affect  the  types  of  inherited  methods. 

In  an  ideal  object-oriented  language,  the  inheritance  mechanism  itself  will  be  modular. 
That  is,  one  should  be  able  to  write  and  check  programs,  and  find  errors,  looking  only 
at  the  types  of  the  superclass  and  the  code  of  the  modifications.  For  instance,  a  type¬ 
checking  mechanism  with  these  properties  will  be  necessary  if  vendors  are  to  be  able 
to  distribute  libraries  in  compiled  form  only.  The  type-checking  rules  for  TOOPLE  do 
provide  this  modularity.  The  user  need  only  know  the  type  of  a  class  in  order  to  define 
and  type  check  any  subclass  of  that  class. 

We  can  summarize  these  important  properties  of  TOOPLE  as  follows: 

•  Type  safety:  If  a  term  has  a  type,  r,  then  the  result  of  evaluating  that  term  will 
be  an  element  of  type  r.  In  particular,  no  error  messages  of  the  form  “message  not 
understood"  will  arise  during  the  evaluation  of  a  well-typed  term. 

•  Modularity  of  type-checking:  If  a  class  has  a  type,  then  methods  inherited  in  a 
subclass  continue  to  have  the  types  specified  in  the  superclass.  Moreover,  in  order 
to  type-check  a  subclass  we  need  not  have  access  to  the  bodies  of  methods  inherited 
from  the  superclass.  Only  the  types  of  the  inherited  methods  are  needed  from  the 
superclass. 

Earlier  papers  on  TOOPL  provided  a  denotational  semantics  of  the  language.  Build¬ 
ing  on  earlier  work  of  Cook  et  al.  ([CHC90])  and  Mitchell  ([Mit90])  on  the  semantics 
of  inheritance  in  typed  programming  languages,  the  denotational  semantics  is  based  on 
a  higher-order  extension  of  F<,  the  bounded  second-order  lambda  calculus.  The  deno¬ 
tational  semantics  involves  fixed  points  at  both  the  element  and  type  level,  making  the 
semantics  more  complex  than  might  be  desired. 

For  some  purposes,  such  as  implementation  or  program  verification,  a  natural  seman¬ 
tics  is  more  useful.  Thus,  in  this  paper,  we  present  an  operational  semantics  for  the 
language.  This  semantics  is  significantly  less  complex  than  the  denotational  semantics, 
as  it  involves  no  higher  order  concepts  and  no  fixed  points.  The  operational  semantics 
is  given  in  the  form  of  a  natural  semantics  (see  [NN92]  or  [Gun92]  for  more  details  on 
natural  semantics). 

In  [Bru93a,  Bru93b],  the  first  author  showed  that  the  language  is  type-safe  by  showing 
that  the  meaning  of  a  term  is  included  in  the  set  of  values  corresponding  to  its  type.  Here 
we  provide  an  alternative  proof  of  this  fact  by  proving  a  “subject  reduction”  theorem  for 
the  operational  semantics.  This  theorem  states  that  if  a  term  has  a  type,  then  the  term 
which  results  from  fully  reducing  (evaluating)  the  original  term  also  has  the  same  type. 
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Of  coarse  when  one  provides  a.  different  style  of  semantics  for  a  language,  one  is  in 
danger  of  creating  a  semantics  which  is  no  longer  consistent  with  the  original  one.  Thus  we 
prove  that  the  operational  semantics  is  consistent  with  the  earlier  denotational  semantics. 
In  particular  if  a  term  e  reduces  to  a  term  v  in  the  operational  semantics,  we  show  that 
e  and  v  have  the  same  denotational  semantics. 

In  section  2  of  this  paper,  we  provide  a  very  brief  description  of  the  syntax  of  TOOPLE, 
along  with  a  few  simple  sample  programs.  In  section  3,  we  present  the  operational  and 
denotational  semantics  of  TOOPLE  as  well  as  some  preliminary  lemmas  which  are  nec¬ 
essary  for  the  results  in  the  rest  of  the  paper.  This  includes  a  statement  of  the  minimal 
typing  theorem  for  TOOPLE,  which  was  proved  in  [BCD+93].  In  section  4,  the  subject 
reduction  theorem  is  proved.  As  noted  above,  this  leads  to  an  alternative  proof  of  the 
type  safety  of  the  language.  In  section  5,  the  natural  semantics  of  TOOPLE  is  shown  to 
be  consistent  with  the  denotational  semantics  of  the  language.  Finally,  in  the  last  two 
sections  we  provide  a  brief  comparison  with  other  attempts  at  modeling  object-oriented 
programming  languages,  and  conclude  with  a  discussion  of  other  results  on  TOOPLE. 

Because  of  space  restrictions,  this  version  of  the  paper  only  discusses  the  restriction 
of  TOOPLE  to  a  language  in  which  classes  have  no  instance  variables. 


2  A  brief  introduction  to  TOOPLE 

TOOPLE  is  a  statically-typed  functional  object-oriented  programming  language.  It  of¬ 
fers  full  support  for  object-oriented  features  including  objects,  classes,  methods,  hid¬ 
den  instance  variables,  dynamic  method  invocation,  subclasses,  and  subtypes.  Moreover, 
TOOPLE  provides  mechanisms  to  allow  the  programmer  to  refer  to  the  current  object 
(self),  its  type  (My  Type),  and  the  record  of  methods  of  its  superclass  (super).  We  pre¬ 
sume  the  reader  is  familiar  with  the  fundamental  concepts  of  object-oriented  languages, 
though  they  are  described  briefly  below. 

Objects  consist  of  a  collection  of  instance  variables,  representing  the  state  of  the  object, 
and  a  collection  of  methods,  which  are  routines  for  manipulating  the  object.  When  a 
message  is  sent  to  an  object,  the  corresponding  method  of  the  object  is  executed.  Classes 
are  extensible  templates  for  creating  objects.  In  particular,  classes  contain  initial  values 
for  instance  variables  and  the  bodies  for  methods.  All  objects  generated  from  the  same 
class  share  the  same  methods,  but  may  contain  different  values  for  their  instance  variables. 
A  subclass  may  be  defined  from  a  class  by  either  adding  to  or  modifying  the  methods  and 
instance  variables  of  the  original  class.  (Restrictions  on  the  modification  of  the  types 
of  methods  and  instance  variables  in  subclasses  are  necessary  in  order  to  preserve  type- 
safety.)  Methods  which  are  not  modified  in  subclasses  are  said  to  be  inherited  from  their 
superclass. 

All  terms  of  the  language,  including  both  classes  and  objects,  have  associated  types. 
We  say  type  T  is  a  subtype  of  U  if  a  value  of  type  T  can  be  used  in  any  context  in  which 
a  value  of  type  U  is  expected.  Note  that  subtyping  depends  only  on  the  type  of  values, 
while  subclasses  and  inheritance  depends  upon  their  implementations.  It  was  pointed  out 
in  [CHC90]  that  if  one  class  is  a  subclass  of  another,  the  type  of  the  objects  generated  by 
the  subclass  need  not  be  a  subtype  of  the  type  of  the  objects  generated  by  the  original 
class. 

A  bound  variable,  usually  written  as  self,  may  be  used  in  methods  as  a  name  for  the 
current  object.  Since  our  language  is  statically  typed,  it  will  be  necessary  to  assign  a  type 
to  all  occurrences  of  self.  Because  the  meaning  of  self  will  change  when  methods  are 
inherited  in  subclasses,  its  type  will  change  as  well.  Thus  we  will  use  a  bound  variable, 
usually  written  as  MyType,  as  the  type  of  self. 
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Finally,  when  new  definitions  are  given  to  methods  in  a  subclass,  it  is  useful  to  be 
able  to  refer  to  the  methods  of  the  superclass.  For  instance,  one  often  wishes  to  apply 
the  method  body  from  the  superclass  and  then  perform  a  few  more  operations  before 
returning  from  the  redefined  method.  We  provide  a  bound  variable,  usually  written  as 
super,  to  refer  to  the  record  of  methods  of  the  superclass. 

We  note  that  instance  variables  are  omitted  in  this  conference  paper  to  keep  the 
language  as  simple  as  possible.  The  addition  of  instance  variables  raises  no  serious  com¬ 
plications  in  the  development  of  the  technical  results. 

The  types  for  TOOPLE  are  defined  as  follows: 

Definition  2.1  Let  VTp  be  an  infinite  collection  of  type  variables,  C  be  an  infinite  col¬ 
lection  of  labels,  and  CTp  be  a  collection  of  type  constants  which  includes  at  least  the  type 
constants  Bool  and  Num.  The  type  expressions  with  respect  to  VTp  and  CTp  are  defined 
as  follows: 

1.  If  t  €  VTp  U  CTp  then  t  is  a  type  expression. 

2.  If  a  and  r  are  type  expressions,  then  so  is  a  — *  r . 

3.  If  mi, . . . ,  m„  €  C  and  Tj, . . . ,  t„  are  type  expressions  ,  then  {mt  :  rx; . . . ;  m„  :  r„}  is 
a  (record)  type  expression. 

4-  If  r  is  a  record  type  expression  and  MyType  €  VTp,  then  ObjectType(MyType)r  and 
ClassType(MyType)r  are  type  expressions.  MyType  is  considered  to  be  a  bound 
variable  in  these  two  type  expressions,  and  binds  all  free  occurrences  of  MyType  in 
r. 

Types  of  the  form  o  —*  r  represent  function  spaces.  Object  types  are  written  in  the 
form  ObjectType(MyType)r ,  where  r  is  the  type  of  the  record  of  methods  of  the  object. 
Similarly,  class  types  are  of  the  form  ClassType(MyType)r. 

Definition  2.2  The  pre-terms  of  TOOPLE  are  as  follows: 

M  ::=  *  |  if  B  then  M  else  N  \  fun(v  :  cr)  M  \  M  N  \  M  =  N  |  e.m;  | 

(mi  =  ei, . . .  ,m„  =  e„}  |  class(self  :  MyType  <mcth  Object  7\pe  ( My  Type )  r )  e  | 
new  c  |  o  ■«=  m  |  obj(self  :  MyType  <mcth  ObjectType{MyType)r)e  \ 
update  c  by(self  :  MyType  <mel h  ObjectType(MyType)r';  super){mx  =  e',}  | 
extend  c  with(self  :  MyType  <mtth  Object  Type  ( My  Type)r':  super){m„+x  =  en+i). 

In  the  above  grammar,  B,  M ,  N,  c,  o,  e,  and  the  various  e,-  refer  to  pre-terms. 

Most  of  the  pre-terms  should  be  self-explanatory.  A  pre-term  of  the  form  class(self  : 
MyType  <meth  ObjectType{MyType)r)e  represents  a  class  whose  method  bodies  are  con¬ 
tained  in  the  record  e  with  type  t.s  As  discussed  earlier,  self  can  be  used  in  the  body 
of  a  method  to  refer  to  the  object  executing  the  method.  MyType  represents  the  type  of 
self. 

A  pre-term  of  the  form  obj(self  :  MyType  <mtih  ObjectType(MyType)r)e  represents 
an  object  with  method  bodies  in  e.2 3  If  c  is  a  class  then  new  c  represents  an  object 


2 The  addition  of  <mets  ObjectType(MyType)T  after  MyType  in  class  definitions  is  necessary  in  order  to 
obtain  a  minimal  type  for  all  terms  of  TOOPLE.  This  addition  for  class,  update,  and  extend  terms  is  the 
only  difference  between  the  language  TOOPL  described  in  previous  papers  and  the  language  presented 
here. 

3Obj  terms  are  not  actually  in  the  source  language.  However  they  are  used  as  an  intermediate  form 
of  a  term  in  the  natural  semantics.  As  a  result,  we  include  them  here. 
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generated  from  c.  “ Update ”  and  “ extend"  pre-terms  provide  ways  of  modifying  or  adding 
new  methods  to  a  class.  A  pre-term  of  the  form  o  ■$=  m  represents  sending  the  message 
m  to  object  o.  Sample  TOOPLE  code  is  given  at  the  end  of  this  section. 

Aside  from  the  subtyping  relation  (<)  discussed  above,  we  need  another  ordering  on 
object  types  which  is  related  to  types  obtained  via  subclasses.  This  ordering,  <mcth,  is 
a  pointwise  ordering  on  method  types.  If  o  is  an  object  of  type  ObjectType  ( My  Type )  r , 
generated  from  class  c,  and  ObjectType(MyType)r'  is  the  type  of  an  object  generated  from 
a  subclass  of  c,  then  Object Type(My Type ) r '  <mc,h  ObjectType(MyType)r .  The  axioms 
and  rules  for  <  and  <meth  axe  given  in  Appendix  A.  The  subtyping  rules  and  axioms 
are  given  with  respect  to  a  collection,  C,  of  simple  type  constraints  of  the  form  t  < 
t  and  t  <mtih  t.  See  [Bru93b]  or  [Bru93a]  for  further  explanation.  Note  that  C  I- 
ObjectType(MyType)r'  <meih  ObjectTypei,MyType)r  iff  C  h  t'  <  t. 

Most  rules  should  be  familiar  with  the  possible  exception  of  the  subtyping  rule  for 
object  types.  This  rule  arises  from  the  fact  that  object  types  are  defined  recursively  (in 
order  for  MyType  to  stand  for  the  type  of  the  object  in  its  type  definition). 

The  actual  terms  of  TOOPLE  are  those  which  can  be  type  checked  with  respect  to 
a  collection,  C,  of  simple  type  constraints,  and  an  assignment,  E,  of  types  to  variables. 
The  type-checking  rules  for  TOOPLE  can  be  found  in  [Bru93b]  or  [Bru93a],  where  they 
are  explained  in  some  detail.  Note  that  it  is  possible  to  redefine  a  method  in  a  subclass 
in  such  a  way  that  the  type  of  the  new  method  is  a  subtype  of  the  type  in  the  superclass. 

The  following  restrictions  on  type  constraint  systems  will  allow  us  to  show  that  each 
term  has  a  minimum  type.4 

Definition  2.3  Let  C  be  a  type  constraint  system.  We  say  that  C  is  manageable  if  the 
following  conditions  hold,  where  s  and  t  range  over  type  variables: 

1.  If  (t  <meth  ObjectType(MyType)r)  €  C,  then  there  is  no  term  of  the  form  (s  <  t)  g 
C. 

2.  There  are  no  terms  of  the  form  (t  <  ObjectType(MyType)r)  6  C . 

These  two  rules  essentially  disallow  introducing  a  ty’pe  variable  which  is  a  subtype  of 
an  object  type. 

A  collection  of  type-checking  rules  for  computing  the  minimal  types  of  terms  of 
TOOPLE  can  be  found  in  Appendix  B.  These  rules  represent  an  algorithm  for  com¬ 
puting  the  minimal  type  of  a  term  of  TOOPLE  as  long  as  C  is  a  manageable  type  con¬ 
straint  system.  Note  that  there  are  two  rules  for  each  of  function  application  (MAppl 
and  MAppl record  field  extraction  ( MProj  and  MProj’),  and  message  passing  ( MMsg 
and  MMsg1).  These  are  necessary  since  these  operations  may  be  applied  to  items  whose 
minimum  types  are  type  variables.  The  most  important  place  where  this  arises  is  when  a 
message  is  sent  to  self,  whose  type  is  MyType. 

The  following  laeorem  from  [BCD+93]  gives  the  relation  between  the  type-checking 
rules  given  in  (Bru93a,  Bru93b]  and  the  minimal  typing  rules  given  in  Appendix  B. 

Theorem  2.4  Suppose  that  C  is  manageable.  Then  C,E  b  e  :  t  according  to  the  type¬ 
checking  rules  in  [Bru9Sb]  or  [Bru9Sa]  iff  there  is  a  type  r'  such  that  C,  E  \~m  e  :  r'  and 
Cbr'Kr. 

As  a  result,  it  will  be  sufficient  to  use  the  rules  for  deriving  minimum  types  given  in 
Appendix  B.  This  will  be  useful  later  in  the  paper  after  we  have  introduced  the  natural 


4ln  [BCD+93]  we  restrict  type  constraints  systems  even  further.  However  the  definition  of  manageable 
type  constraints  given  here  is  sufficient  to  prove  minimum  types  for  terms. 
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(operational)  semantics  of  TOOPLE.  We  will  show  that  the  minimum  types  of  terms 
generated  in  the  evaluation  of  a  TOOPLE  term  are  all  subtypes  of  the  minimum  type  of 
the  original  term. 

We  end  this  brief  introduction  with  the  inclusion  of  a  few  examples  of  terms  and  their 
types  from  [Bru93b]. 

PointClass  = 

class  (self  :  MyType  <meth  ObjectType(MyType){x,y  :  Int;  eq  :  MyType  — ►  Bool}) 
{x  =  0,  y  =  0,  eq  =  fun(p  :  MyType)((self  <=  x)  =  (p  <=  x))k((self  <t=  y)  =  (p  <£=  y))} 

has  type  PointClass  Type  =  ClassType(MyType){x,y  :  Int;  eq  :  MyType  — >  Bool},  and 
represents  points  with  x,  y,  and  eq  methods. 

PtObj  =  new  PointClass  is  an  object  generated  from  PointClass.  Its  type  is 

PointType  =  ObjectType(MyType){x,y  :  Int;  eq  :  MyType  — *  Bool}. 


Let 

Color  PointType  =  ObjectType(MyType){x,y  :  Int-,  c  :  C  olorType;  eq  :  MyType  — *  Bool}. 
We  can  add  a  color  method  to  PointClass  using  the  “extend”  term: 

ColorPointClass  = 

extend  PointClass  by  (self  :MyType<meth  ColorPointType;  super)  {c  —  Red} 

Tf  we  wish  to  change  the  method  eq  so  that  it  now  also  checks  the  color  components 
of  two  records,  we  define 

NuColorptwiass  =  update  ColorPointClass  with  (self  -.MyType  <mcth  ColorPointType; 

super)  {eq  —  fun(p.MyType)  super. eq(p)  &  ((self  <=  c)  =  (p  <=  c))  }. 

Notice  the  use  of  super  in  the  updated  eq  method  to  perform  the  old  eq  body,  before 
testing  the  equality  of  colors. 

Finally  we  note  that  by  rule  ( MMsg )  the  term  PtObject  <=  eq  has  type  PointType  —* 
Bool.  On  the  other  hand,  if  ColorPtObject  is  an  object  generated  from  NuColorPointClass 
having  type  ColorPointType,  then  ColorPtObject  •*=  eq  has  type  ColorPointType  — *  Bool. 
This  illustrates  the  flexibility  obtained  by  the  use  of  self  and  its  type  MyType. 


3  Semantic  definitions  and  preliminary  lemmas 

In  this  section  we  present  some  fundamental  definitions  and  lemmas  which  will  be  useful 
in  the  proofs  in  the  following  sections.  We  also  present  the  natural  and  denotational 
semantics  for  TOOPLE.  We  begin  with  a  description  of  some  of  our  notation. 

Definition  3.1  We  write  a  =  b  to  denote  that  a  and  b  are  syntactically  identical,  up  to 
renaming  of  bound  variables. 

Definition  3.2  We  write  e[a/x]  to  denote  the  substitution  of  a  for  x  in  e,  where  we  first 
rename  bound  variables  as  necessary  to  avoid  capture  of  free  variables. 

The  natural  semantics  and  denotational  semantics  for  terms  of  TOOPLE  can  be  found 
in  Appendices  C  and  D.  In  the  natural  semantics  we  will  use  C,  E  h  e  :  r  J.  v  as  an 
abbreviation  for  C,  E  h  e  :  r,  and  e  l  v.  We  read  this  as  e  is  a  term  with  type  r  which 
reduces  to  v,  which  is  an  irreducible  term. 
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The  irreductible  terms  are  constants,  function  abstractions,  records,  classes,  and  ob¬ 
jects.  Most  rules  for  non-object-oriented  features  should  be  familiar.  By  RRecord,  RClass, 
RAppL,  and  RNeiv,  the  evaluation  strategy  is  “lazy.”  That  is,  subterms  are  not  evaluated 
until  necessary. 

The  most  interesting  rule  is  RMsg,  for  sending  a  message  to  an  object.  When  a  term 
of  the  form  o  ■$=  m  is  evaluated,  o  is  reduced  to  a  term  of  the  form,  o'  =  obj($elf  : 
MyType  <meth  7,)ei  where  e  is  its  record  of  methods.  Then  self  is  replaced  by  o'  and 
MyType  by  7'  in  e,  which  is  then  evaluated  to  a  record  term.  Finally,  the  record  component 
corresponding  to  m  is  evaluated  and  returned  as  the  final  answer. 

While  self  is  an  irreducible  value,  it  should  be  noted  that  when  a  message  is  sent  to 
an  object,  all  occurrences  of  self  sure  replaced  by  the  object,  so  self  no  longer  occurs  in 
the  method  body  when  it  is  actually  evaluated. 

The  subject  reduction  theorem,  presented  in  section  4,  will  show  that  the  reduced 
term,  v,  will  have  a  minimal  type  that  is  a  subtype  of  the  type  of  the  original  term  e.  It 
follows  that,  in  the  original  typing  system,  if  C,  E  h  e  :  r  j.  v,  then  C,E  b  v  :  r. 

The  substitution  lemma  for  types  is  necessary  to  prove  the  subject  reduction  theorem. 
It  ensures  that  substitution  is  a  well-behaved  operation  with  respect  to  the  subtyping 
relation.  More  formally: 

Lemma  3.3  Let  C  be  manageable  and  let  x  be  a  variable.  Assume  that  there  exist  terms 
and  types  such  that  C,  E  \~m  e  :  r ,  C,  E  b\f  x  :  a,  C.E  b_\/  a  :  o',  and  C  b  a'  <  a .  Then 
there  exists  some  r'  such  that  C,E  e[afx]  :  r'  and  C  b  r'  <  r.  Furthermore,  if  r  is  a 
class  type,  then  t'  =  r. 

Proof.  The  proof  is  by  induction  on  the  proof  of  minimum  typing.  The  base  case  is 
straightforward.  We  present  only  a  few  of  the  inductive  cases. 

Inductive  assumption.  For  all  C,  E,  if  C,  E  \~m  e' :  p  in  fewer  than  n  steps  and  x  and 
a  are  as  described  above,  then  there  exists  some  p'  such  that  C,E  bAf  e'[a/x]  :  p',  where 
C  V  p'  <  p.  Furthermore,  if  p  is  a  ClassType  type,  then  p'  =  p. 

MClass.  C,E  b m  class(self  :  MyType  <mcth  ObjectType(MyType)r)e  : 

ClassType(MyType)r. 

Case  1:  x  =  self.  In  this  case  the  expression  is  unchanged  by  the  substitution  as 
self  is  a  bound  variable  of  the  term.  As  a  result  the  type  of  the  term  is  unchanged  by  the 
substitution. 

Case  2:  x  ^  self.  Thus,  (class(self  :  MyType  ObjectType  ( MyType)r)e)[a/x ] 

=  c lass(self  :  MyType  <meth  ObjectType(MyType)r)e'.  where  e'  =  e[a/x].  By  induction, 
C,E  bAf  e' :  r',  where  C  b  r'  <  r.  Since  classes  have  unique  types,  the  class  typing  rule  al¬ 
lows  us  to  prove  that  C,  E  \~m  ( class($elf  :  MyType  <merA  Object  Type  (My  Type  )r)e)[a/x] : 
Class  Type  ( My  Type )  r . 

MMsg.  C,  E  bw  o  ■$=  m(  :  r,[7/My7Vpe]. 

We  may  assume  that  C,  E  bAf  o  :  7,  where  7  =  ObjectType(MyType){. . . ;  m,-  :  r,-; . . .}, 
by  the  typing  rules.  By  induction,  C,  E  \~m  o[a/xj  :  7',  where  7'  =  ObjectType{MyType) 
:  r/;...},  and  C  b  7'  <  7.  Note  that  the  minimum  type  of  o[a/x]  must  be  an 
ObjectType  type,  since,  by  the  second  part  of  the  definition  of  manageability,  there  can 
be  no  expressions  of  the  form  ( t  <  ObjectType(MyType)r)  €  C.  By  the  object  subtyping 


rule,  C  U  {a  <  <}  I-  :  T--,...}[s/MyType]  <  :  n; . .  ,}[t/MyType],  and 

it  follows  that  C  U  {a  <  t}  h  r-[s/MyType ]  <  rx\t  /  MyType],  Finally,  because  a  and  t 
do  not  occur  in  C,  substitution  of  the  types  of  the  7'  and  7  for  a  and  t  gives  us  that 
C  I-  T[[y'/ MyType]  <  t^/ My  Type]. 

MMsg’.  C,E\-M  o  <=  m,  :  r,[t  /  MyType], 

C,E  o  :  t,  where  t  is  a  type  variable.  Thus  (t  <„,«</,  Object  Type  ( MyType )  { . . . ;  m,  : 
r, €  C.  Note  that  (o  «*=  m,)[a/x]  =  o[a/x]  ■<=  m,.  Now,  by  induction,  C,E  bM 
o(a/xj  :  where  C  h  t'  <  t.  But  the  first  part  of  the  definition  of  C  being  manageable 
asserts  that  there  can  be  nothing  of  the  form  (r  <  t)  £  C,  and,  since  t  is  a  variable,  no 
other  proof  can  exist  which  shows  that  t'  is  a  subtype  of  t.  Therefore,  t  =  t',  and  so 
C,E  o[a/x]  <=  m,  :  r,[</ MyType]. 

MUpdate.  C,  E  I ~m  update  c  by  ( self  :  MyType  <mtlh  Object Type(MyType)~/';  super) 

{mj  =  e\]  :  ClassType(MyType)  7'. 

where  7'  =  :  t];  m2  :  r2; . . . ;  m„  :  t„}. 

By  the  observations  in  the  (MClass)  case,  we  may  assume  that  x  self,  as  no  change 
will  take  place  otherwise.  Now  note  that 

(update  c  by  (self  :  MyType  <mcth  ObjectType(MyType)  7';  super) {mi  =  ei})[a/x] 

=  update  c[a/x]  by  ( self  :  MyType  <m*M  ObjectType(MyType)  7 ”\super) 

{m,  =e'1[a/x]}). 

By  the  typing  rules,  c  has  some  ClassType  type,  and  so  by  induction,  c[a/x]  must  have 
the  same  type.  Thus  C,  E  c[a/x]  :  Class Type(My Type) {m,  :  77 ; . . . ;  mn  :  r„}.  Also,  by 
induction,  C,  E  \~m  e'Ja/x]  :  r",  where  C  h  r"  <  r[.  Thus  we  can  use  (MUpdate)  to  prove 
that  C,  E  I ~m  update  c[a/x )  by  (self  :  MyType  <mcth  Object  Type  ( My  Type )  7' ;  super)  (mj  — 
e',[o/x]})  :  Class  Type  7'.  Thus  the  update  expression  after  performing  substitution  has 
exactly  the  same  type  as  it  did  before  the  substitution.  ■ 

4  Subject  reduction  theorem 

The  subject  reduction  theorem  shows  that  types  are  preserved  under  the  reductions  of 
our  natural  semantics.  This  can  be  used  to  show  that  TOOPLE  is  type-safe,  since  no 
computation  on  a  well-typed  term  can  ever  result  in  a  term  which  is  ill-typed. 

Theorem  4.1  Subject  Reduction  Theorem  Assume  that  C,E  b m  e  :  t  j  e'.  Then 
there  is  a  type  r'  such  that  C,  E  1 ~m  e' :  r',  where  C  h  t'  <  r.  Furthermore,  if  t  is  a  class 
type  then  r'  =  r. 

Proof.  The  proof  is  by  induction  on  the  number  of  steps  used  in  the  reduction. 

Base  case.  If  any  of  the  rules  RAbs,  RConst,  RRecord,  RClass ,  or  RObj  apply,  then 
e'  =  e,  so  the  theorem  holds  trivially. 

Inductive  cases.  Suppose  that  for  all  C,  E ,  and  for  all  e'  such  that  e'  j.  e"  in  fewer 
than  n  steps,  if  C,  E  bm  e' :  r'  J.  e"  then  there  is  some  r"  such  that  C,  E  bM  e"  :  r"  and 
C  h  r"  <  t'.  Furthermore,  if  r'  is  a  class  type  then  t'  =  r". 

The  proof  proceeds  by  cases  on  the  last  semantic  rule  applied.  In  each  ewe  we  assume 
that  e  is  typable  and  that  there  is  some  v  such  that  e  [  v,  in  n  steps.  We  begin  each  case 
by  specifying  the  form  of  e  and  the  minimum  type  of  e. 
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We  include  only  a  few  interesting  cases  in  this  conference  paper.  We  note  that  Lemma 
3.3  is  needed  in  the  (omitted)  case  for  function  application. 

RNew.  C,E  new  c  :  ObjectType(MyType)r. 

By  the  typing  rules,  C,E  h/n  c  :  ClassType(MyType)r,  and  by  the  semantic  rule,  c  j 
class(self  :  MyType  <mcth  ObjectType{MyType)r)e'.  By  induction,  C,E  bM  class(self  : 
MyType  <mel  *  Object  Type(  My  Type )  r )  e' :  ClassType{MyType)r ,  as  the  types  of  classes  are 
invariant.  By  the  semantic  rule  v  =  obj{self  :  MyType  <me,s  ObjectType(MyType)r)e\ 
and  we  can  prove  that  C,E  (-«  obj(self  :  MyType  <mclh  ObjectType{MyType)r)e'  : 
Object  7\/pe(MyType)r. 

RMsg.  C,E  hM  o  <=  m,  :  /  MyType}. 

It  is  clear  that  o  is  typable,  as  the  entire  expression  is  typable,  and  we  proceed  by 
cases  on  the  last  rule  of  the  proof  of  minimum  type  for  o  <=  m,. 

MMsg.  C,  E  I- a/  o  :  Object  Type  ( My  Type){ .  tj;  . . .}. 

Note  that  7  =  Object  Type  ( My  Type )  { . . . ;  m,  :  r,; . . .}.  Since  o  j.  obj(self  :  MyType  <mtlh 
■y')e  for  7'  =  ObjectType{. . . ;  m,- :  t/;  . . then,  by  induction, 

C,  E  bM  obj(self  :  MyType  <meth  n')e  :  ObjectType(MyType)-y' ,  (1) 

where  C  h  7'  <  7.  (2) 

By  the  subtyping  rules,  the  only  way  (2)  could  hold  is  if  Cu  {s  <  <}  1-  t-[s/ MyType]  < 
T,[t/ MyType],  It  follows  that 

C  h  / MyType}  <  r,[7 / MyType],  (3) 

By  (1)  and  our  typing  rule  for  obj  terms, 

C  U  {MyType  <metH  7'},  E  U  {self  :  MyType }  bAf  e  m,  :  r/'; . . .},  (4) 

where 

C  U  {MyType  <meth  7'}  •"  r"  <  r/.  (5) 

Let  e'  =  e[obj(self  :  MyType  <mcth  7 ')e/ self  / MyType],  By  Lemma  3.3,  it  follows  that 

C,  E  \~m  e' m,- :  t"'\  . . .}  (6) 

where  C  b  r"'  <  r['[y' / MyType], 

By  (5),  it  follows  that 

c  *"  T"[i  I  MyType}  <  t'^' /  My  Type}.  (7) 

Furthermore,  since  e'  J.  {. . . , mt-  =  e,, . . .},  it  follows  by  induction  that  C,  E  \~m  e,  :  p, 
where 

C  H  p  <  r'".  (8) 

Since  e,-  i  v,  by  induction, 

C,  E  b  m  v  :  p',  where  C  b  p'  <  p  <  t/"  <  j  MyType],  (9) 

Thus,  by  (3),  (7),  (9),  and  transitivity, 

Cb  p'  <  Ti[y /MyType], 

In  summary,  if  (e  4=  m.)  |  v,  where  C,E  bM  e  4=  m,-  :  T,[y/MyType],  then  C,E  bM 
v  :  p',  with  Cbp'<  T,[yj MyType],  as  desired. 


MMsg\  C,E  \~m  o  :  t,  where  t  is  a  type  variable. 

Note  that  7  —  t.  The  other  hypothesis  of  the  (MMsg’)  rule  must  be 

(t  <m«i h  Obj ect  Type ( My  Type )  { . . . ;  m,  :  tv;  . . .})  e  C. 

By  the  semantic  rule  (RMsg),  o  J.  obj(self  :  MyType  <mcth  {. . . ;  m;  :  r/; . .  .})e.  Thus,  by 
induction,  C, E  hu  obj(self  :  MyType  <meth  :  r'; . .  .})e  :  where  C  h  f  <  t. 

However,  any  proof  of  minimum  type  for  an  obj  expression  must  end  in  the  (MObj)  typing 
rule.  Thus  t'  is  of  the  form  ObjectType(MyType)r,  and  so  C  h  Object  Type  ( My  Type)r  <  /. 
But  this  implies  something  of  the  form  (r  <  t)  e  C,  which  is  impossible  due  to  the  first 
part  of  the  definition  of  manageability.  Thus  it  cannot  be  the  case  that  C,£  Hjk  e  : 
where  t  is  a  type  variable.  ■ 

The  subject  reduction  theorem  ensures  that  our  programming  language  is  type-safe, 
by  showing  that  all  intermediate  terms  in  a  computation  can  be  typed  (with  a  subtype 
of  the  type  of  the  original  term).  In  particular,  this  implies  that  no  term  of  the  form  /(e) 
occurs  in  the  computation  of  a  well-typed  term  if  the  types  of  /  and  e  do  not  match. 
Similarly  no  object  will  be  sent  a  message  that  it  cannot  handle  in  a  computation  on  a 
well-typed  term  (since  such  a  subterm  would  be  ill-typed). 

Thus,  if  we  begin  with  a  term  with  no  free  variables,  a  computation  will  proceed  in  a 
type-safe  way  to  a  value  or  may  loop.  However,  it  will  never  become  stuck  at  a  non-value 
since  each  well-typed  term  corresponds  to  a  computation  rule  in  the  natural  semantics. 

5  Consistency  of  the  natural  semantics  with  the  de- 
notational  semantics 

The  theoretical  results  about  TOOPL  in  [Bru93a]  are  given  in  terms  of  the  denotational 
semantics  presented  in  Appendix  D.  Of  course,  we  would  like  to  be  able  to  claim  that  any 
results  using  the  natural  semantics  presented  here  actually  refer  to  the  same  language  as 
the  one  Bruce  described. 

We  will  prove  that  the  natural  semantics  presented  in  appendix  C  is  sound  with 
respect  to  the  denotational  semantics.  To  do  this,  we  must  show  that,  whenever  a  term 
M  reduces  to  a  term  v  in  the  natural  semantics,  their  meanings  are  the  same  according 
to  the  denotational  semantics. 

We  first  need  the  following  substitution  lemma  for  terms. 

Lemma  5.1  Suppose  s  is  not  free  in  C  or  E,  CU(s  <  r},E  U  {x  :  s}  h  M  :  7, 
C,  E  h  a  :  o,  and  C  h  o  <  r .  Then 

1.  C,E  h  M[a/x,  cr/s]  :  7[<r/s],  and 

2.  [C  U  {s  <  r},E  U  {x  :  s}  h  M  :  7 ]p[|C,  E  H  a  :  cr]p/x,  Mp/s]  = 

[C,  E  b  M[a/x,o/s]  :  -7  [cr/s]]jp. 

We  now  prove  the  correctness  of  the  natural  semantics  with  respect  to  the  denotational 
semantics. 

Theorem  5.2  If  C,  Eh  M  :  r  j.  v,  then  |C,  Eh  M  :  r\p  =  JC,  E  h  v  :  r]p 

Proof.  We  will  prove  the  natural  semantics  correct  by  induction  on  the  number  of  steps 
in  the  reduction. 

Base  Cases.  For  terms  that  can  be  reduced  by  one  of  the  rules  RAbs,  RConst,  RRecord, 
RClass,  or  RObj,  the  theorem  is  clearly  true,  since  each  of  these  rules  states  that  M  J.  M . 
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Inductive  Cases.  We  prove  the  consistency  of  the  natural  semantics  for  all  terms  whose 
reduction  is  of  length  n,  where  n  >  1,  assuming  that  the  semantics  are  correct  for  all  terms 
whose  reductions  are  of  length  less  than  n.  We  provide  only  a  few  of  the  more  interesting 
cases. 

Function  application.  The  natural  semantics  rule  for  function  application  is  RAppl, 
which  gives  us,  by  the  induction  hypothesis,  that 

[C,  E\-  e  :  o  —>  r]p  =  [C,  E  I-  Ax  :  cr.M  :  a  — >  r]p 

=  Ad  €  A’\C,  E  U  {x  :  0}  b  M  :  r]p[d/a:]. 


Then 

[C,E  bee':  r] p  =  ([C,  E  h  e  :  a  -*  r]p)([C,  E  b  e' :  <7} p) 

=  (Ad  €  A°\C,  E  U  (x  :  a)  1-  M  :  rlp[d/x])(|C ,  E  b  e'  :  a\p) 
=  [C,  E  U  {*  :  a)  t-  M  :  r\p\\C ,  E  He':  o-Jp/ar] 

=  [C,E\-  M^/x) :  rj/) 

where  the  final  step  follows  from  Lemma  5.1,  part  2. 

Because  C,  E  h  A/[e'/x]  :  r  |  u  by  induction,  we  obtain 

[C,  £  b  Af [e'/x]  :  tJ/>  =  [C,  E  b  u  : 


Thus 

JC,  E  b  e  e' :  t]/>  =  JC,  E  b»:  rjp. 

Objects.  The  rule  for  creation  of  an  object  from  a  class  is  RNew.  The  corresponding 
denotations!  rule  is: 

[C,  E  b  new  c  :  Object 7)/pe (My  7\/pe)rJp  = 

FIX(([C,E  b  c:  ClassType(MyType)T]p)(\ObjectType(MyType)T]p)). 

Now,  by  the  induction  hypothesis, 

[C,  E  b  c  :  ClassType(MyType)T\p  = 

[C,  E  b  class(self  :  MyType)e  :  ClassType(MyType)T\p. 

Substituting  and  using  the  semantics  of  objects  we  get: 

[C,  E  b  new  c  :  Object  Type  ( My  Type  )r\p 

—  FIX(([C,E  b  class(self  :  MyType)e  :  ClassType(MyType)T\p) 

( [  Object  Type  ( My  Type)r]  p) ) 

=  [C,E\-  obj(self  :  MyType)t :  Object  Type  ( My  Type  )r\p. 

Message  passing.  The  next  case  to  consider  is  an  expression  that  sends  a  message  to 
an  object.  The  natural  semantics  rule  for  this  is  RMsg.  Without  loss  of  generality  we 
presume  that  C,  E  b  m  0  •$=  m,-  :  T,{-y/ My  Type}.  We  proceed  by  cases  on  the  last  typing 
rule  applied: 

Case  L  C,  E  b m  o  :  7  for  7  =  ObjectType(MyType){mi  :  tj;  . . . ;  m„  :  r„}. 

The  denotations!  definition  for  message  passing  is  Msg: 

\C,  E  b  o  <=  m,- :  n[y / MyType]]p  = 

(convert[I{m; :  r,}]p[[7]p/Afy7Vpe]][l7]p]|C,  E  b  o  :  7J p)  (mi). 


By  the  convert  rules  for  records  in  [BL90],  if  a  [{si  :  <J\ ; . . .  ,3*  :  <r*; . . .  ;  s„  :  cr„})p, 
and  r  6  A^f,  then 

(convert[[{si :  <ri;...;s„  :  <r„}|p][<7]r)(st)  =  (convert[[{s* :  <r*}lp](<r]r)(s*)- 
By  the  semantics  of  object  types, 

fr]p  =  [{mi  :  rn}]p[h]p/My7\tfe]. 

Thus, 

(convert[[{m, :  n}]p([7]p/My7Vpe]][[7lp][c.  £ho:  7I  p)  (m.) 

=  (convert[[{mi  T„}Jp[[7jp/Afy7VPe]][[7lp][C,  E  h  o  :  7]p)  (m.) 

=  (convert[[7lp][[7lp][C,  £  h  o  :  7jp)(m.) 

=  [C,Eh  o  :  7jp(m,). 

Hence  [C,  E  h  o  <=  m; :  Ti[i  /  MyType]\p  =  [C,  £  h  o  :  7jp(m,). 

Since  o  <t=  m,  j  w,  if  follows  that 

o  i.  obj(self  :  MyTypt  <mtlh  7 ')e  (10) 

for  some  7'  =  ObjectType(MyType)r' ,  and  some  record  e  such  that 

e' =  e[obj(self  :  MyType  <mtth  ~i')t/ self  ,-f' /MyType]  j  {mi  =  =  e*},  (11) 

and 

t;  J.  v.  (12) 

By  the  subject-reduction  theorem  and  (10),  C  t~  7'  <  7. 

Let  C"  =  Cu  {MyType  <mt,k  ObjectType(MyType)r'}  and  £'  =  Eu{self  :  MyType). 
By  the  denotational  rule  for  objects,  Obj, 

[C,  E  h  obj  (self  :  MyType)e  :  7']p 

=  FIX(([C,E  h  class  (self  :  MyType)e  :  ClassType(MyType)Tl\p)(['ir\p)). 

=  FIX((\(.  <  [Tlp[aMyType\.\o  €  A*\C\E'  h  e  :  t']p[Z/ MyType, o/self})(b1p)) 

=  FIX(\o  €  AM»\C,  E'  h  e  :  ryW^p/ MyType,  0/ self]). 

Therefore, 

\C,E  h  obj  (self  :  MyType)e  :  7']p 

—  [C,  E'  h  e  :  r'lp^'jp/AfyTVpe,  [C,  E  1-  obj(self  :  MyType)e  :  Y]p/self], 

=  [C,E  h  e' :  r'(7'/Afy7\/pe]]p,  by  Lemma  5.1. 

=  [C,E  h  {mi  =  ei, . . .  ,m<  =  e;, . . .  ,m„  =  e„}  :  /  MyType]]p,  by  induction. 

Because  C  H  7'  <  7  and  both  are  object  types,  it  follows  that  C  h  r'[y' / MyType]  < 
{mi  :  Ti;...;mn  :  t„)[i  /  MyType].  By  induction,  (10)  and  the  above  expansion  of 
[obj (self  :  MyType)t\p, 

[C,E\-  o:  7jp  =  [C,E\-  {mj  =  e,,...,m„  =  e„}  :  T[7/My7Vpe)]p, 
so 

([C,  Eh  o:  7]p)(m;)  =  [C,  Eh  e, :  T,[ijMyType]\p  =  [C,Eh  v:  n]-/ /My  Type}]  p 
by  the  Rec  rule  and  the  induction  hypothesis,  respectively.  We  conclude,  then,  that 
[C,  Eh  o  <=  m;  :  rfo  /  MyTypt\\p  =  |C,  E  t-  v  :  ^[1/ MyType]\p. 
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Case  ii.  <7,  E  o  :  7  for  t  a  type  variable. 

By  assumption,  o  |  obj(self  :  MyType  <mt,h  y')e  where  7'  (which  is  also  the  type  of 
the  object  expression)  is  an  object  type.  By  the  subject  reduction  theorem,  C  b  7'  <  t. 
However,  by  the  definition  of  manageable  type  constraint  system,  a  type  variable  may  not 
be  shown  to  be  a  subtype  of  an  object  type.  Thus  this  case  will  never  arise! 

Class  update.  Classes  are  updated  according  to  the  rule  RUpdate. 

Let  t  =  {mi  :  ri;...;mn  :  r„}  and  r'  =  {mi  :  r{;mj  :  :  t„}.  The 

denotational  rule,  Update,  is: 

[C,  E  b  update  c  by  ( self  :  MyType  <me,h  ObjectType(MyType)T’,  super)[mi  =  e',}  : 
ClassType(MyType)T']p  =  Af  <  [t']p\£I  MyType).\o  g  A(.f, 

where 

C'  =  C  U  [MyType  ^ meth  ObjectType(MyType)r'} , 

E'  =  EU  [self  :  MyType}, 

dom(f)  =  {mi,...,m„}, 

/(mi)  =  [C',E'  b  e',  :  r(]p[Z/ MyType,  0/ self  ,s/ super], 

f(mi)  =  s(m}),vj  :  2  <  j  <  n, 

s  =  [C,  E  b  c  :  ClassType(MyType)T]p(£)(o). 

Since 

C,£bc:  Class  Type  ( Afy  Type )  r  [  class(self  :  MyType  <mcth  ObjectType(MyType)r)e, 
it  follows  by  induction  and  the  semantics  of  classes  that 

s  =  [C',E’  b  e  :  r\P(t/ MyType, o/self]. 

Let  e'  =  {mi  =  ej,m2  =  e.m2, ...,m„  =  e.m„),  where  e"  =  e{[e/super],  By  Class: 

\C,E\~  class(self  :  MyType  <mlfh  ClassType(MyType)r'\  super)e'  :  ClassType{MyType)T']p 
=  M<  lr']p{(/MyType].\o  g  E'  b  e' :  r'|p[{/Afy7Vpe,  <>M/) 

To  complete  the  proof  we  must  show  that 

/(m.)  =  {[C',E'  b  e' :  r'\p[Z/ MyType.  0/ self  ])(mi) 

for  all  f  <  [r']p[(/ MyType]  ,0  g  .A4,  and  t  from  1  to  n. 

Case:  i  =  1.  We  can  say,  by  the  denotational  rule  for  records,  Proj,  that 

r/'bc' :  r'\p[(/ MyType, 0/ self])(m\) 

=  [C,  E'  b  e'{  :  T[]p[a MyType,  o/self] 

=  I  C',E'  b  e'j  :  r(]p[(/ My  Type,  0/ self ,  s  /  super] 

=  /(”*  i)- 

Case:  i  >  2.  By  the  definition  of  /  above, 

/(m,)=  [C,£bc:  Claas7Vpe(Afy7toe)TM()(°)(m.) 

=  (IC,£b  class  (self  :  MyType  <mtth  Object  Type  ( My  Type)r )  e  : 

CldssType(MyType)r]p)(()(o)(mi)  by  induction 
=  (l C+,E'  b  e  :  r]p[(/ MyType,  0/ self  ))(mj)  by  Class 
-  E>  ^  «'  ••  tIpVU  MyType,  of  self  ))(m,j  by  Rec. 

where  C+  =  C  U  [MyType  <mel2>  ObjectType(  My  Type )  r  } . 
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Thus,  the  two  functions  are  equal  for  all  m,  in  either  domain.  Since  the  functions  were 
equal  to  the  denotational  meanings  of  the  respective  expressions,  we  can  say  that  the  two 
are  equivalent. 

The  case  for  class  extensions  is  similar.  ■ 


6  Comparison  with  previous  work 

As  indicated  earlier,  the  work  on  TOOPLE  grew  out  of  work  in  [CHC90]  and  [Mit90] 
on  the  semantics  of  inheritance  in  typed  object-oriented  languages.  We  have  also  been 
greatly  influenced  by  the  work  of  Luca  Cardelli. 

The  most  interesting  comparable  work  to  ours  is  that  of  Cardelli  and  of  Benjamin 
Pierce.  In  their  papers,  both  alone  and  with  collaborators  (see  [Car88a,  CW85,  Car88b, 
CL91,  CM90,  Car92]  and  (PT93,  PT92,  PH92]),  both  authors  have  been  striving  to  find 
a  core  language  which  can  be  used  to  model  all  of  the  common  features  of  object-oriented 
programming  languages.  Each  uses  extensions  of  F<,  the  bounded  second-order  lambda 
calculus.  While  we  have  preferred  to  use  the  F-bounded  second-order  lambda  calculus  (see 
(CCH+89])  as  a  basis  for  the  denotational  semantics  of  our  language,  they  have  preferred 
a  different  variant  which  involves  taking  fixed  points  of  higher  order  functions  from  types 
to  types.  As  indicated  by  [Aba92j,  these  extensions  of  F<  are  essentially  identical. 

A  major  difference  between  both  Cardelli  and  Pierce  and  our  work  is  that  they  adopt 
a  mainly  syntactic  point  of  view  of  translating  object-oriented  features  into  extensions  of 
the  second-order  lambda  calculus.  We  have  adopted  a  more  semantic  approach,  originally 
giving  the  denotational  semantics  of  TOOPLE  in  a  model  of  the  second-order  lambda 
calculus.  We  have  continued  this  approach  here,  treating  our  object-oriented  programming 
language  features  as  primitive  and  providing  an  operational  semantics  in  terms  of  these 
constructs. 

Pierce’s  approach  eliminates  the  need  for  fixed  points  at  the  type  level  in  his  language 
(though  they  are  still  required  at  the  element  level  to  model  objects).  The  price  to 
be  paid  for  this  is  not  being  able  to  express  classes  with  binary  methods  like  eg  which 
take  parameters  of  type  MyType,  as  in  PointClass  in  section  2.  While  our  denotational 
semantics  for  TOOPLE  requires  fixed  points  at  both  the  term  and  type  levels,  the  natural 
semantics  provided  here  is  significantly  simpler. 

Castagna,  Ghelli,  and  Longo  (see  [CGL92])  have  proposed  an  interesting  new  approach 
to  providing  the  features  of  object-oriented  programming  languages.  They  propose  replac¬ 
ing  inheritance  by  a  disciplined  use  of  overloading  of  operations.  When  combined  with 
subtyping,  the  resulting  language  has  many  interesting  features,  including  a  mechanism 
for  dealing  with  multi-methods,  methods  whose  execution  depends  on  the  types  of  several 
parameters  rather  than  just  the  type  of  the  receiver  of  the  message,  as  in  most  object- 
oriented  programming  languages. 

Each  of  these  approaches  to  modeling  object-oriented  programming  languages  has  its 
strengths  and  weaknesses,  many  of  which  will  be  apparent  only  with  time  and  experience. 
It  is  already  clear  that  each  of  these  approaches  represents  significant  progress  toward  the 
ultimate  understanding  of  object-oriented  programming  languages. 


7  Summary  and  further  work  on  TOOPLE 

In  this  paper  we  presented  a  natural  semantics  (a  form  of  operational  semantics)  for  the 
statically-typed,  functional,  object-oriented  language,  TOOPLE.  The  natural  semantics 
has  the  advantage  of  being  easier  to  understand  than  the  denotational  semantics,  since 


the  denotational  semantics  requires  fixed  points  at  both  the  element  and  type  levels. 
The  major  results  in  the  paper  were  proofs  of  a  subject  reduction  theorem  for  the  natural 
semantics,  and  a  consistency  theorem  for  the  natural  semantics  relative  to  the  denotational 
semantics. 

The  language  presented  in  this  conference  paper  does  not  include  instance  variables. 
The  language  with  only  methods  is  extremely  limited  in  expressibility,  but  we  decided  that 
it  was  much  easier  to  present  this  simpler  language  in  the  limited  space  available  here.  We 
urge  the  reader  to  see  [Bru93a]  for  a  full  discussion  of  TOOPLE  with  instance  variables. 
The  natural  semantics  presented  here  can  be  extended  easily  to  the  full  language,  and  the 
theorems  and  proofs  carry  over  fairly  directly  to  this  more  complex  language. 

The  subject  reduction  theorem  shows  that  the  natural  semantics  preserves  the  type 
system  for  the  language.  Thus  a  well- typed  term  can  never  go  “wrong”.  In  particular, 
it  shows  that  a  well-typed  term  will  never  result  in  a  computation  in  which  a  message 
is  sent  to  an  object  which  cannot  handle  it.  The  earlier  papers  [Bru93b]  and  [Bru93a] 
included  other  results  with  respect  to  a  denotational  semantics  which  indicated  that  the 
language  was  type-safe. 

The  proofs  of  the  subject  reduction  theorem  and  the  type  safety  of  the  denotational 
semantics  helped  us  discover  and  eliminate  errors  in  the  type-checking  rules  that  might 
have  remained  had  we  not  built  the  language  on  this  theoretical  base.  It  is  our  hope 
that  this  deeper  understanding  of  object-oriented  programming  languages  will  provide 
the  basis  for  a  careful  analysis  of  the  pros  and  cons  of  each  of  their  individual  features. 
This  should  lead  to  the  design  of  safe  languages  which  are  easy  to  reason  about,  and  whose 
expressiveness  is  similar  to  that  found  in  today’s  popular  object-oriented  languages. 

Since  earlier  papers  presented  the  semantics  of  the  language  as  a  denotational  seman¬ 
tics,  we  showed  here  that  the  natural  semantics  is  consistent  with  those  earlier  semantics. 

The  paper,  [BCD+93],  presents  further  results  on  TOOPLE.  It  shows  that  type  check¬ 
ing  TOOPLE  is  decidable  and  that  every  term  of  TOOPLE  has  a  minimal  type.  The 
decidability  of  type  checking  was  in  some  doubt  since  Pierce  [Pie92]  showed  that  type 
checking  F<  was  undecidable  and  the  denotational  semantics  of  TOOPLE  is  expressed  in 
an  extension  of  F<. 

R.  van  Gent  at  Williams  College  has  built  a  TOOPLE  type  checker  and  interpreter 
which  is  based  on  the  type-checking  algorithm  presented  in  [BCD+93]  and  the  natural 
semantics  presented  in  this  paper.  More  recently,  Bruce  and  van  Gent  [vG93,  BvG93]  have 
designed  an  imperative  language,  TOIL,  with  a  type  system  extending  that  of  TOOPLE. 
Similar  results  about  the  safety  and  decidability  of  type-checking  hold  for  TOIL.  An 
interpreter  has  been  written  which  is  being  used  to  further  investigate  the  language. 
Work  is  currently  proceeding  on  extending  the  type  system  of  TOIL  to  include  explicit 
polymorphism.  We  are  also  investigating  the  development  of  proof  axioms  and  rules  for 
reasoning  about  TOOPLE  and  TOIL  programs. 

While  TOOPLE  is  missing  many  of  the  important  features  necessary  to  provide  a 
truly  useful  language,  we  believe  that  TOOPLE  can  serve  as  the  core  of  a  statically-typed 
object-oriented  language  which  combines  type-safety  with  expressiveness  approaching  or 
even  exceeding  that  of  languages  which  fail  to  be  strongly  typed. 

As  this  paper  was  going  to  press,  we  learned  of  the  development  of  the  language 
Strongtalk  [BG93],  which  has  adopted  essentially  the  typing  rules  for  TOOPLE  (along 
with  a  few  extensions)  in  order  to  type  check  a  subset  of  Smalltalk.  We  look  forward  to 
learning  of  the  efficacy  of  this  typing  system  in  large  programming  projects. 
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A  Subtyping  Rules  for  TOOPLE 

SRefl 


CI-r<T 


SVar 


CU{(<t)H<t 


S  Trans 


C  h  7  <  <7, 
Cho<r 


Ch  7  <  r 
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SAbs 


Cher'  <  a, 

C  h  r  <  r' 

Ch  cr  -*  t  <<r'  — ►  r' 


SRec 


SObj 

IRefl 


_ C  h  <Tj  <  t„  Vj  :  1  <  j  <  k  <  n _ 

Ch  {mi  :  :  ert;...;m„  :  un}  <  {mi  :  T,:...;m*  :  rt} 

CUa<(H  rf  s/MyType]  <  r'[t/MyType] 

C  h  Object  Type  ( My  Type )  r  <  ObjectType(MyType)r' 

C  I-  Object  Type  ( My  Type)r  <melh  ObjectType(MyType)r 


IVar 


Cu{(  <mel*  •"  *  r 


ITrans 

Ch  7  <m<r(h  ObjcctType(MyType)T, 

_ C  h  r  <  r' _ 

C  h  7  ObjectType(MyType)T' 

B  Minimum  Typing  Rules  for  TOOPLE 

Definition  B.l  The  following  are  used  in  the  minimum  typing  rules  and  axioms  below. 

1.  (Fzrom  [CO 92])  We  write  C  h  t  «  r ,  */  t  is  a  type  variable,  and  C  h  t  <  r  is 
provable  using  only  fSVar)  and  (S Trans) • 

2.  The  type  lubfr,  r')  is  the  least  upper  bound  of  r  and  r'  according  to  the  subtyping 
ordering.  The  least  upper  bound  of  two  types  exists  as  long  as  they  have  any  upper 
bound.  See  [BCD*  93]  for  details. 

MVar 

C,EhM  x  :  r,  if  E{x)  =  r 


Mcond 

C,  E  hAf  B  :  p, 

Ch  p<  Bool , 
C,EhMM:r\ 

_ C,EhMN:r" _ _ 

C,E  hM  if  B  then  M  else  N  :  lub(r'.r «> 


MAbs 


C,E  U  {v  :  <r]  hj>f  hi :  r 
C,  E  hji/  fun(v  :  <r)  M  :  o  -»  r 


621 


MAppl 

C ,  £  l-M  M  :  a  — *  r, 

C,  E  h*/  iV  :  <r', 

C  I-  <t'  <  cr 

C,£l-«M.V:r 

MAppl’ 

C,  E  t~ a#  M  :  <, 

C,ShA/ 

C  I-  <  <  <7  — »  r, 

C  (-  a'  <  o 
C.Ehu  M  N  :  r 

MEq? 

C,  E\-\i  M  :  t, 

C,EhMN:r', 

C  h  r  <  Num, 

C  h  r‘  <  Num 

C,EhM  M  =  N  -.Boot 

MRec 

C,  E  I ~m  e,  :  r,,Vt :  1  <  t  <  n 
C,  E  l-w  {mi  =  eu . . . ,  m„  =  en}  :  {mi  :  n; . . . ;  m„  :  r„} 

MProj 

C,  E  hM  e  :  {mi  :  n; . .  ,  m„  ;  t„} 

C,  E  Km  e.m,  :  r,-,  Vi  :  1  <  i  <  n 

MProj’ 

C,  E  t :  f, 

C  K  <  {twi  :  ri;...;mn  :  r„} 

C,  £  e.mj  :  T;,Vi :  1  <  i  <  n 

MClass 

C  U  {MyType  <mtth  ObjectType{MyType)r} ,  E  \J  {self  :  MyType}  \~m  e  :  r', 

_ C  U  {MyType  <metA  ObjectType(MyType)T}  hr'<T _ 

C,£  hjvf  class(self  :  MyType  <metH  ObjectTypz{MyType)r)e  :  ClassType{MyType)r 

MObj 

C  U  {MylVpe  <mcth  ObjectType{MyType)r} ,  E  U  {se//  :  MyType}}  e  :  r', 

_ C  U  {MyType  <mrth  ObjectType(MyType)r }  I-  t'  <  r _ 

C,  £  (“m  obj(self  :  MyType  <mitA  ObjectType(MyType)r)e  :  ObjectType{MyType)r 


I 
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MNew 


C,  E  h/if  c  :  ClassType(MyType)r 
C,E  h a/  new  c  :  ObjectType{MyType)r 


MMsg 


_ C,EhM  o  :  Object  Type  ( My  Type)  { in  i  :  Ti;  . . . ;  m„  :  r„} _ 

C,E\-M  o<=  m,-  :  Ti[ObjectType(MyType){ml  :  n; . . . ;  m„  :  rn}/ MyType] 


MMsg’ 


C,E  h m  o  :  t, 

(t  <m'th  Object  Type  ( My  Type )  {  m  x  :  r^,..\mn  :  rn})  6  C 
C,E  \-M  o  <=  m,  :  Tj[t/  My  Type] 


MUpdate 


C,  E  c:  ClassType(MyType)r, 

C  h  r[  <  rj, 

C  U  {MyType  <mcth  ObjectType(MyType)r’} ,  E  U  {self  :  My  Type,  super  :  r}  t\  :  r", 

_ C  U  { MyType  <mtth  ObjectType(MyType)r' }  h  r"  <  t{ _ 

C,  E  h m  update  c  by  ( self  :  MyType  <me,h  ObjectType(MyType)r' ,  super){rni  =  e\  }  : 

Class  Type  ( My  Type)r' 

where  r  =  {mi  :  n; . . .  ;mn  :  r„}  and  r'  =  {m^  :  r, mn  :  r„}. 

MExtend 

C,  E  Kvf  c  :  ClassType(MyType)r, 

C  U  {Mj/Tfype  —meth  Object  Type  ( My  Type )  r ' } , 

EU  {self  :  MyType,  super  :  r)  hA/  e„+,  :  r'+1, 

C  U  {MyType  <mcth  ObjectType(MyType  )r'}  h  r^+,  <  rn+ 1 _ 

C,  E  hAr  extend  c  with  ( self  :  MyType  <mcih  ObjectType(MyType)r',  super) 

{mn+i  =  e„+l}  :  ClassType(MyType)r' 

where  r  =  {mi  :rl\...\mn  :  r„}  and  r'  =  {m,  :  rx; . . . ;  m„+]  :  r„+j }. 

C  Natural  Semantics  for  TOOPLE 

RAbs 


I 


RConst 


C,  E  h  fun{ x  :  a)  M  :  a  — >  r  J.  fun(x  :  a)  M 


C,E  h  true  :  Bool  {  true , 

C,E  h  false  :  Bool  J.  false, 

C,  E  H  n  :  Num  J,  n,if  n  is  a  constant  of  type  Num 
C,  E  t-  se//  :  MyType  J.  self 
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RRecord 

^  {**i  Cj , . . . ,  r„  —  e„}  .  {r,  .T,,...,rn  :  r„}  |  {^i  =  ci,...,rn  =  en} 


RClass 

C,£h  class  (self  :  MyType  <meth  ObjectType(MyType)r)e  :  ClassType(MyType)r  J. 
class(self  :  MyType  <meth  ObjectType(MyType)r)e 


RObj 

C,Eh  obj(self  :  MyType  <meth  CbjectType(MyType)r)e  :  ObjectType(MyType)r  J. 
obj(self  :  MyType  <meth  ObjectType(MyType)r)e 

REq 

C,  E  H  ej  :  Num  J,  t’, 

C,  E  I-  e2  :  Num  j.  v 
C,  E  h  e\  =  e2  :  Bool  J.  true 

RNeq 

C,  E  h  ej  :  Num  j  vt , 

C,E  he2:  Num  [  t>2, 

_ Vi  ^  Vj _ 

C,Eh  e i  =  e2  :  Bool  ].  false 

RTVue 

C,  E  f-  5  :  Bool  J.  (nie, 

C,Et-  e,  :  r  |  r, 

C,E\-  e2:  t 

C,E  h  if  B  then  e\  else  e2  :  t  (  v 

RFaise 

C,  E  I-  B  :  5oo/  J.  /o/se, 

C,  E  H  e2  :  7  j  v, 

_ C,  E  H  d  :  t _ 

C,E\~  if  B  then  et  else  e2  :  t  jo 

RAppl 


C,  E  h  e  :  cr  — >  r  J.  fun(x  :  o)  M, 
C,E  h  M[e'/x]  :t  l  v 
C,E\-  e  e'-.r  l  v 


C)  E  e  .  t  ^  {rj  —  ej, ...  1Tg  £t, . . . ,  rn  —  £n} . 
C,E  h  e,  :  r,-  j  v 
C,E  h  e.rj  :  t,-  J.  v 


RProj 
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RNew  ■ 

C,E  h  c  :  ClassType(MyType)r  i  « 

_ class  (self  :  My  Type  <meth  Object  Type  (MyType)r)e  ■; 

C,E  new  c  :  ObjectType(MyType)r  j  j 

obj(self  •  My  Type  ObjectType(MyType)r)e  | 

RMsg  I 

C,  E  (-  o  :  7  1  obj(self  :  MyType  <meth  l')e , 

C,E  h  (e[obj(self  :  MyType  <met h  ObjectType(MyType)r)e/ self  ,7' / MyType]  : 

{m!  :  T,;...;m„  :  Tn])[-y'/ MyType]  |  {mi  =  e,, . . .  ,m„  =  en} 

_ C,E\-  e, :  / MyType]  \  v _ 

C,  E  b  o  <=  m,  :  Tj[-y  /  MyType]  J,  v 

where  1  <  i  <  n,  and  7'  =  ObjectType( My Type){ m\  :  rj;. ..  ;m„  :  r„} 

RUpdate 

C,  Eh  c:  ClassType(MyType)T  {  class(self  :  MyType  <mcth  ObjectType(MyType)r)e 
C,Eh  update  c  by  ( self  :  MyType  <meth  Object  Type(  My  Type  )t\  super)  {mi  =  e(]  : 

ClassType(MyType)r'  J. 

class  (self  :  MyType  <meth  ObjectType(MyType)T'){inx  =  e" ,  m2  =  e.m2, . . . ,  m„  =  e.m„) 
where  e"  =  e'Je/super],  r  =  {mt  :  n ; . . . ;  m„  :  r„},  and  r'  =  {mi  :  :  r„}. 

RExtend 

C,E\~  c:  ClassType(MyType)T  {  class(self  :  MyType  <mcth  ObjectType(MyType)T)e 
C,Eh  update  c  by  (self  :  MyType  <mclh  ObjectType(MyType)r' ,  super){m„+i  =  en+i}  : 

ClassType(MyType)r'  J. 

class(self  :  MyType  <mcth  ObjectType(MyType)r') 

{mi  =  =  e.m„,mn+1  =  e'n+1} 

where  e'n+i  =  en+,[e/super],  r  =  {mi  :  n; . . . ;  mn  :  r„}, 
and  r'  =  {mi  :  Ti;...;mn+i  :  rn+1}. 

D  Denotational  Semantics  for  TOOPL 

ObjectType 

lObjectType(MyType)r]p  =  F I X  (X^.lrjpl^MyType] 

ClassType 

lClassType(MyType)T]p  =  JJ  (f  -»  {t\p[£I  MyType]) 

<<xMeK/Af»7ViK) 

Var 

\C,E\-  x-.r\p  =  p(x)  * 
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Cond 


(|C,  £  b  ej  :  rjp,  if  [C,  E  h  B  :  Booijp  =  true 
[C,  £htj:  r]p,  if  [C,  E  B  :  Bool]p  =  false 
-L,  otherwise 


Abs 


[C,  E  h  fun(x  :  a)  M  :<r  r]p  =  \d  €  A’  .[C,  E  h  M  :  rjp[<f/z] 


Appl 


{C,E  hee':  rjp  =  (JC,  rJp)([C,  £  h  e'  :  <rjp) 


Eq? 


(C,  E  h  t\  =  e2  : 


true,  if  JC,  £  I-  e,  :  rjp  =  [C,  £  I-  e2  :  rjp 
/aise ,  otherwise 


Rec 


[C,£h  {n  =  ei,...,r„  =  e„}  :  rjp  =  /, 

where 

dom(f)  =  {r,,...,r„} 

Vi :  1  <  i  <  n,f(ri)  =  fC,  E  h  e,  :  r.-Jp 


Proj 


fC, E  h  e.r,  :  r,Jp  =  (JC, Eh  e:  rjp)(r,) 


Class 

{C,  E  h  class(self  :  MyType  <mc„,  Object  Type(  My  Type)r)e  :  Class  7ype(My7ype)rJp  = 
H  <  lT\p{(l MyType\.Xo  €  Af.jCU  {MyType  <mt,h  ObjectType{MyType)r}, 
E  U  {set/  :  MyType}  h  e  :  r}p[£/ MyType,  oj  self] 


New 

|C,  E  h  new  c  :  ObjectT'ype(MyType)rJp  = 

E/X((JC,  £b  c:  ClassType(MyType)T]p)(lObjectType(MyType)r]p)) 


Obj 


JC,  £h  obj(self  :  MyType  <mcth  Object  Type  ( MyType)r)e  :  ObjectType(MyType)r\p  = 
FIX((\C,Eh  class  (self  :  MyType  <meth  ObjectType(MyType)r)e  : 

ClassType(MyType)r]p)(lObjectType(MyType)T}p)) 


Msg 


\C,  £  h  o  mi  :  r,[7/Afy7type]Jp 

=  (convert  :  rJJp[I7Jp/Afyrype]]0[7Jp]|[C,  £  h  o  :  7Jp)  (m.) 
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Update 

[C,Ek  update  c  by  ( self  :  MyType  <meth  ObjectType(MyType)r,  super){mi  =  e',}  : 

ClassType(MyType)r']p  =  MyType].Xo  g  A(.f, 

where 
dom(f)  = 

f(m i)  =  [CU  {MyType  <raeth  ObjectType(MyType)r') , 

E  U  {sei/  :  MyType }  b  e',  :  r{]p[f  /  MyType, o/self,s/super], 
f(mj)  =  :  2  <j<n, 

s  =  ([C,E\- c:  ClassType(MyType){mi  :  Ti;. .  .;mn  :  tau„}}p)(()(o). 

Extend 

[<7,  Eh  extend  c  with  {self  :  MyType  <meih  ObjectType(MyType)r,  super) 

{mn+1  =  en+i}  :  ClassType{MyType)r'\p  =  <  [r'Ip[f /My7ype].Ao  g  .A£./, 

where 

dom(f)  =  {m1,...,mn+1}, 

f(m„+l)  =  [C  U  {MyType  <mcth  ObjectType(MyType)r'), 

E  U  {sei/  :  MyType }  b  en+1  :  rn+1}p[f/ MyType,  o/ self  ,sf  super], 
f(mf)  =  s(m3),Vj  :  1  <  j  <  n, 

s  =  (fC,E\- c:  ClassType(MyType){mi  :  Ti:...;mn  :tau„}]p)(ti)(o). 


On  the  Transformation  Between  Direct  and 
Continuation  Semantics  * 

Olivier  Danvy  and  John  Hatcliff 
Aarhus  University  **  and  Kansas  State  University  *** 
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1  Introduction 

Proving  the  congruence  between  a  denotational-semantics  specification  in  di¬ 
rect  style  and  a  denotational-semantics  specification  in  continuation  style  is  not 
trivial  [26,  28,  31].  Yet, 

—  both  direct-style  and  continuation-style  specifications  can  be  represented  as 
typed  A-terms:  semantic  domains  are  represented  with  types,  and  valuation 
functions  with  A-terms  [22,  28]; 

-  typed  A-terms  can  be  transformed  into  continuation  style  automatically  using 
Plotkin’s  continuation-passing-style  (CPS)  transformation  [9,  15,  24]. 

We  have  transformed  the  representation  of  several  direct-style  specifications 
into  continuation  style.  Since  the  meta-language  of  denotational  semantics  obeys 
normal  order  [28],  we  have  used  the  call- by-name  CPS  transformation.  The  result 
is  not  the  expected  representation  of  a  continuation-style  semantics  (i.e.,  one 
written  by  hand). 


1.1  An  example 

It  is  sufficient  to  look  at  types  to  see  where  a  mismatch  occurs. 


CdI] :  Envi  — *  Coma 

where 

Coma  =  Store  — ►  Store 

Cc[- 1 :  Envc  — ►  Comc 

where 

Comc  =  Store  — *  (Store  —  .4ns)  — ►  Ans 

Fig.  1.  Types  of  valuation  functions  for  a  simple  imperative  language 

Figure  1  gives  the  types  of  two  valuation  functions  for  a  simple  imperative 
language.  C<j[]  is  a  direct-style  valuation  function  and  Cc\ -J  is  a  continuation- 
style  valuation  function. 

Figure  2  displays  Plotkin’s  call-by-name  CPS  transformation  Cn  for  typed 
terms  [9,  24].  t  represents  a  base  type. 

Transforming  the  types  of  the  direct-style  valuation  function  ]  does  not 
yield  the  types  of  the  continuation-style  valuation  function  Cc|  |.  For  example, 
the  transformation  of  the  function  space  Env<t  — > ►  Comj  yields 

(( Cn(Env<t )  — ►  Ans)  — *  Ans)  — *  ( Cn{Comd )  — ►  Ans)  — *  Ans 

which  does  not  match  the  type  of  the  corresponding  function  space 

Envc  — < •  Comc 

in  Cel-].  Essentially,  Cn  introduces  too  many  continuations. 
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= » 

Ca {A«  :  t.f  J  =  Xk.k  (At  :  Cn{tJ.C„fltJ) 

Cn{fo  ti}  =  AK.Cnfco}  (At»o.(»o  k) 

C.(i)  =  t 

tl )  = 

Cnflt)  =  ( Ca(t )  — *  Ant )  — »  Ant 

Fig.  2.  Transformation  of  call-by-name  A-terms  into  continuation  style 


This  mismatch  is  significant  because  it  shows  that  a  continuation  seman¬ 
tics  is  not  just  a  direct  semantics  with  continuations.  For  another  example,  in 
a  continuation  semantics,  environments  (represented  as  functions)  usually  are 
expressed  in  direct  style,  i.e.,  they  are  not  passed  any  continuation  [28,  31]. 

1.2  A  choice 

At  this  point  we  have  a  choice: 

-  We  could  establish  the  relationship  between  the  result  of  CPS-transforming 
[the  representation  of]  a  direct-style  semantics  and  [the  representation  of]  a 
continuation-style  semantics  that  one  would  write  by  hand,  and  maybe  map 
one  into  the  other. 

—  We  could  devise  a  new  CPS  transformation  that  would  transform  [the  rep¬ 
resentation  of]  a  direct-style  semantics  into  [the  representation  of]  a  realistic 
continuation-style  semantics.  By  a  “realistic”  continuation-style  semantics, 
we  mean  “one  that  a  professional  denotational-semanticist  would  write”. 

We  choose  the  latter  option. 

1.3  On  the  transformation  between  direct  and  continuation 
semantics 

The  goal  of  our  work  is  to  automate  the  transformation  between  textual  represen¬ 
tations  of  direct  semantics  and  of  continuation  semantics.  Essentially,  we  identify 
properties  of  a  direct-style  representation  ( e.g .,  totality),  and  we  generalize  the 
call-by-name  CPS  transformation  accordingly.  As  a  result,  we  can  produce  the 
expected  representation  of  a  realistic  continuation  semantics,  automatically. 

It  is  important  to  understand  the  transformation  between  representations  of 
direct  and  of  continuation  semantics  for  at  least  three  reasons. 

» 

1.  It  is  these  representations  that  get  processed  in  any  kind  of  semantics- based 
program  manipulation  (e.g.,  compiling,  compiler  generation,  and  partial 
evaluation). 


d'-' 

2.  The  properties  of  [the  representation  of)  the  direct-style  semantics  should 
give  precious  insights  to  establishing  the  congruence  relation  between  the 
direct  semantics  and  the  continuation  semantics. 

3.  The  properties  of  the  transformation  should  give  guidelines  for  proving  the 
congruence  between  the  direct  semantics  and  the  continuation  semantics. 

1.4  Issues 

The  tools  used  in  this  paper  are  interesting  in  their  own  right. 

1.  The  generalized  call-by-name  CPS  transformation  is  based  on  a  system  of 
annotations  capturing  reduction  properties  such  as  partiality  and  totality. 
Using  these  annotations,  we  extend  Reynolds’s  classification  of  trivial  and 
serious  A -terms4  to  serious  and  trivial  functions.  The  extended  classification 
gives  a  finer  scheme  for  describing  termination  properties  of  terms  —  unlike 
Reynolds’s  original  scheme,  it  allows  us  to  state  that  e.g.,  some  applications 
are  actually  trivial. 

2.  The  annotations  are  obtained  by  an  automatic  control -flow  analysis  that 
extends  Mycroft’s  b  termination  analysis  to  higher-order  programs  [20,  21]. 
This  tool  has  applications  in  other  areas  such  as  compiling  and  partial  eval¬ 
uation. 

3.  Retaining  Reynolds’s  method  of  introducing  continuations  in  serious  terms 
yields  a  transformation  that  introduces  continuations  only  when  necessary 
to  achieve  evaluation-order  independence.  Thus,  this  new  transformation 
generalizes  the  call-by-name  CPS  transformation  (should  all  functions  be 
serious)  and  the  identity  transformation  (should  all  functions  be  trivial).  In 
an  earlier  work,  we  reported  a  CPS  transformation  after  strictness  analysis 
that  generalizes  the  call-by-value  CPS  transformation  (should  all  constructs 
be  strict)  and  the  call-by-name  CPS  transformation  (should  all  constructs 
be  non-strict)  [5].  Tools  producing  a  variety  of  continuation-style  represen¬ 
tations  are  valuable  new  ones  in  a  programming-language  workbench. 

1.5  Organization 

The  rest  of  this  paper  is  organized  as  follows.  Section  2  presents  an  example 
language  and  two  semantic  definitions,  one  in  direct  style  and  one  in  continua¬ 
tion  style.  Section  3  describes  how  these  semantic  definitions  can  be  represented 
as  typed  A-terms.  In  Section  4,  we  generalize  Reynolds’s  notion  of  trivial  and 
serious  terms.  In  Section  5,  we  extend  the  transformation  into  continuation  style 
to  handle  terms  with  annotations  describing  trivial  and  serious  properties.  In 
Section  6,  we  examine  the  properties  of  the  representation  of  the  direct-style 
semantics  of  Section  2  and  we  annotate  this  representation.  In  Section  7,  we 

4  Reducing  a  trivial  A-term  always  terminates  whereas  reducing  a  serious  A-term  may 
not  terminate  [25].  Reynolds’s  notion  of  trivial  A-term  coincides  with  Plotkin’s  notion 
of  value  [24], 
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z  €  Program 

1  €  Location 

c  £  Command 

m  €  Ident[num] 

e  €  Expression 

p  €  Ident[proc] 

n  €  Numeral 

/  €  Identffun] 

z  ::=  proc  p  (m)  =  c  in  z  |  fun  /  (m)  =  e  in  r  |  c. 

c  ::=  skip  |  ci ;  cj  |  1  :=  e  |  if  e  then  ci 

else  C2  |  while  e  do  c  |  call  p  (e) 

e  n  |  m  |  succe  |  pred  e  |  deref  1 

1  apply  /  (e) 

Fig.  3.  Abstract  syntax  of  the  simple  imperative  language 

transform  this  annotated  representation  into  continuation  style  and  we  obtain 
the  expected  representation  of  a  continuation  semantics.  Finally,  Section  8  con¬ 
cludes  and  puts  this  work  into  perspective. 

2  Example  Denotational  Definitions 

Figure  3  presents  the  abstract  syntax  of  a  simple  imperative  language  with 
global  and  non-recursive  first-order  procedures.  Figures  4  and  5  give  a  direct 
semantics  and  a  continuation  semantics  for  the  simple  imperative  language.  The 
functionality  of  the  semantic  algebras  for  stores,  environments,  and  natural  num¬ 
bers  are  the  usual  ones  and  the  specifications  are  omitted. 

Proposition  1.  The  semantics  of  Figures  4  an d  5  define  the  same  language, 
that  is,  they  are  congruent  [31,  page  340].  □ 

3  Representing  Denotational  Definitions  as  Typed 
A-terms 

Denotational  definitions  are  usually  implemented  by  treating  the  semantic  no¬ 
tation  as  a  “machine  language”  [28,  Section  10.1].  A  common  notation  of  deno¬ 
tational  semantics  is  the  A-calculus.  Thus,  domains  are  mapped  into  types  and 
domain  constructors  into  type  constructors,  valuation  functions  are  mapped  into 
A-expressions,  and  semantic-algebra  operations  into  6-rules.  Figure  6  presents  the 
syntax  of  an  extended  A-calculus  used  to  represent  denotational  definitions  as 
typed  terms.  The  typing  rules  are  the  usual  ones  and  are  omitted.  When  e  has 
type  t  under  type  assumptions  it  we  write  ir  (-  e  :  t.  Each  element  of  the  set  of 
type  assumptions  w  is  of  the  form  i  :  t.  To  simplify  substitution,  and  without 
loss  of  generality,  we  assume  that  all  identifiers  are  unique. 

Let  us  summarize  how  the  example  denotational  definitions  of  Figure  4  and 
5  are  represented  by  the  typed  terms  of  Figure  6. 
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Valuation  Functions: 

Semantic  Domains: 

^[Program] 

Env  — ►  Com 

Com  =  Store  —*  Store 

^[Command] 

Env  — <■  Com 

Exp  =  Store  — »  Nat 

^[Expression] 

Env  — *  Exp 

Proc  =  //at  — *  Com 

A/]Numeral] 

Nat 

Fun  =  Nat  — *  Exp 

£[Location] 

Loc 

Programs: 

.ZJproc  p  (m)  =  c in  z]  =  Ap.A<r.Z[z](ext  p  p  (At.Cfc]  (ext  p  m  »)))  o 
2 [fun  f  (m)  =  e  in  p]  =  Ap.A(7.Z[z]  (ext  p  /  (A*.£[eJ  (ext  p  m  *)))  <r 
2[c.J  =  Ap.A<r.C[c]p<r 

Commands: 

£[skip]  =  Xp.Xo.o 

C[ci  i  cj]  =  Xp.Xo.let  o'  =  C[ci]  p<r  »'n  £[02]  p  <r' 

C[1  :=  e]  =  Ap.Aa.upd  <r  £Ji]  (f[e]  p  <r) 

C[if  e  then  ci  else  C2]  =  Xp.Xo.if  iszero?  (£[e]p<r)  then  (C[ci]p<r)  else  (£[02]  p  <r) 
C[while  e  do  c|  =  Xp.Xo.  letrec  w  =  X a.  if  iszero?  (£[e]p  cr) 

then  let  o'  =  C[c]  po  in  w  o' 
else  o 

in  wo 

C[call  p  (e)]  =  Ap.A<r.(lookup  p  p)  (£[ej  po)o 
Expressions: 

£[n]  =  Ap.A(7.A/'[n] 

£[m]  =  Ap.Au. lookup  p  m 
£[succe]  =  Ap.A<7.succ  (£[e]po) 

£[prede]  =  Ap.Atr.pred  (£[ej po) 

£[deref  1]  =  Ap.Acr.fetch  a  £[/] 

£[apply  /  (e)]  =  Ap.A<r.(lookup  p  /)  (£[e]p<7)  o 

Fig.  4.  Direct  semantics  of  the  simple  imperative  language 
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Valuation  Functions: 

^[Program]  :  Env  — »  Com 
^[Command]  :  Env  — ►  Com 
^[Expression]  :  Env  — »  Exp 
^[Numeral]  :  Nat 
^[Location]  :  Loc 

Programs: 


Semantic  Domains: 

Com  =  Store  — »  ( Store  —  /4  ns) 
Exp  —  Store  — ►  Nat 
Froc  =  Nat  — *  Com 
Fun  =  Nat  — »  Fxp 


j4ns 


2[proc  p  (m)  =  c in  2]  =  Ap.A<r.AK..Z[z]  (ext  p  p  (Ai.C[c]  (ext  p  mi)))<rK 
2 [fun  /  (m)  =  e in  z]  =  Ap. Act. Ak.2[z]  (ext  p  /  (At.£[e]  (ext  p  m  »)))  0  k 
Z[c]  =  Xp.Xo.XK..C[c\p0  K 


Commands: 


C[skip]  =  Xp.Xa.XK.K  a 

C[cj  ;  C2]  =  Ap.Aa.A«.C[ci]p<r  (A<r'.C[c2]p<r' k) 

C[l  :=e]  =  Xp.Xa.XK.K  (upd  a  £[/]  (£ [e]  p  a)) 

C[if  e  then  ci  else  02]  =  Xp.Xa.Xn.  if  iszero?  (£[e]  p a)  then  (C[ci]  pa  k) 

else  (£[02]  P  a  K) 

C[while  e  do  c]  =  Ap.Aa.AK.  letrec  w  =  Ao.Ak'.  if  iszero?  (£[e]pa) 

then  C[c\  p  a  (Xa1  .w  o'  k') 
else  k 'a 

in  wa  k 

C[caU  p  (e)]  =  Ap. Ao.Ak. (lookup  pp)  (£[e]p<r)  a  k 

Expressions: 

£[n]  =  Ap.A<r.A/’[n] 

£[m]  =  Ap.  Act. lookup  p  m 
fjsucce]  =  Ap.Aa.succ  (£[e]pa) 

£[prede]  =  Ap.Ao.pred  (£[e]p<r) 
f  [deref  1]  =  Ap. Act. fetch  a  £[/] 

£[apply  /  (e)J  =  Ap.  Act. (lookup  p  /)  (£[e]po)  a 


Fig.  5.  Continuation  semantics  of  the  simple  imperative  language 


f  €  A -exp 


a  €  X-abs 


r  6  6-rule 


t  ::=  i  |  a  J  (of)  |  «/  ()  then  (j  else  (3  |  let  i  =  to  in  ti  |  letrec  i  =  a  in  c  |  r 
a  ::=  A i  :  f.( 

r  ::=  op0  |  op,  (  |  op2  0  (j  |  ... 

t  €  Type 
t  -.:=i  |  to  -  <1 


Fig.  6.  Abstract  syntax  for  an  extended  typed  A-calculus 


The  primitive  domains  Store,  Env,  and  Ide  form  the  base  types  and  the 
semantic-algebra  operations  such  as  upd  and  fetch  become  6-rules. 

The  valuation  functions  become  typed  A-terms.  A  key  point  in  this  step 
is  that  operational  notions  such  as  non-termination  and  recursion  (represented 
explicitly  in  the  denotational  semantics  by  the  special  element  J.  and  least  fixed- 
point  operations  over  cpo’s)  must  be  captured  implicitly  in  the  reduction  prop¬ 
erties  of  the  A-terms. 

Following  Schmidt  [28],  let  expressions  used  in  the  direct  semantics  of  Figure 
4  include  a  strictness  check  over  some  lifted  domain  Ax-  They  are  defined  as 
follows. 

,  .  .  _  _  f  A  if  e0  =  ± 

e  i-eoinei  —  ^  (At ei)eo  otherwise 

So  each  let  expression  is  represented  with  an  eager  binding  construct.  The  op¬ 
erational  behavior  of  the  binding  construct  (t.e.,  call-by- value)  captures  the  ap¬ 
propriate  termination  properties  [24] . 

Similarly,  letrec  is  defined  by  the  usual  desugaring  into  the  fixed-point  op¬ 
erator.  So  each  letrec  expression  is  represented  with  the  usual  recursive  binding 
construct.  Its  operational  behavior  approximates  the  computation  of  the  least 
fixed-point  of  a  function. 

4  Analyzing  the  Representation  of  a  Direct-Style 
Definition 

As  pointed  out  in  Section  1.1,  transforming  the  A-representation  of  a  direct  se¬ 
mantics  into  continuation  style  using  a  call-by-name  transformation  does  not 
yield  the  A-representation  of  a  realistic  continuation  semantics.  Essentially,  the 
transformation  introduces  more  continuations  than  are  needed.5  In  this  section, 

5  For  example,  in  Figure  5,  £  is  expressed  in  direct  style  even  though  it  is  part  of  a 
continuation  semantics.  We  aim  to  clarify  why  £  does  not  need  any  continuation, 
and  to  establish  conditions  that  allow  one  to  transform  the  text  of  Figure  4  into  the 
text  of  Figure  5,  automatically. 
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we  go  back  to  the  source  [25]  and  investigate  where  continuations  are  really 
necessary. 


4.1  Reynolds’s  notion  of  trivial  and  serious  terms 

Originally,  Reynolds  distinguished  between  “trivial”  terms  (whose  evaluation 
never  diverges)  and  “serious”  terms  (whose  evaluation  might  diverge)  [25].  Triv¬ 
ial  terms  correspond  to  Plotkin’s  notion  of  “value”  [24],  Since  introducing  con¬ 
tinuations  aims  at  obtaining  evaluation-order  independence,  only  serious  terms 
need  to  be  transformed  into  continuation  style.  As  an  approximation,  Reynolds 
decided  that  all  applications  are  serious  terms  and  thus  they  all  need  a  contin¬ 
uation  —  forcing  each  function  to  be  passed  a  continuation. 

Considering  the  particular  case  of  denotational  semantics,  this  approximation 
often  is  too  coarse.  For  example,  valuation  functions  are  usually  curried.  Most 
of  the  time,  the  result  of  applying  a  valuation  function  to  an  abstract-syntax 
tree  is  a  A- abstraction.  In  fact,  this  is  the  case  for  V,  C ,  and  £  in  Figure  4.  Since 
a  A-abstraction  is  a  trivial  term,  applying  a  valuation  function  does  not  yield 
a  serious  term.  Thus  it  is  too  conservative  to  approximate  all  applications  as 
serious  terms.6 


4.2  Trivial  and  serious  functions 

In  a  denotational-semantics  specification,  a  function  is  defined  textually  as  a 
A-abstraction. 

-  If  the  body  of  this  A-abstraction  is  trivial,  the  function  is  obviously  total. 
Since  evaluating  the  body  does  not  require  a  continuation,  the  function  does 
not  need  a  continuation  either. 

—  Conversely,  if  the  body  of  a  A-abstraction  is  serious,  the  corresponding  func¬ 
tion  may  be  partial.  Since  evaluating  the  body  requires  a  continuation,  the 
function  needs  to  be  passed  this  continuation. 

We  refer  to  such  A-abstractions  as  “trivial  functions"  and  “serious  functions” , 
respectively. 

Let  us  now  turn  to  the  arguments  of  these  functions.  Denotational  specifica¬ 
tions  are  customarily  higher-order,  so  it  is  not  obvious  which  expression  occurs 
as  the  argument  of  which  A-abstraction.  However  following  Reynolds  again  [25], 
we  can  enumerate  the  A-abstractions  that  may  occur  in  each  higher-order  ap¬ 
plication.  This  enumeration  is  achieved  by  control-flow  analysis  (a.k.a.  closure 
analysis)  [29,  30]. 


6  This  is  probably  why  Reynolds’s  definitional  interpreters  are  uncurried  [25]. 
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4.3  Call-by-value  and  call-by-name  functions 

A  A-abstraction  can  be  applied  to  a  trivial  argument  or  to  a  serious  one.  Again, 
trivial  arguments  do  not  need  to  be  computed  with  a  continuation.  Conversely, 
serious  arguments  need  to  be  computed  with  a  continuation.  We  approximate 
this  situation  by  stating  that  if  a  A-abstraction  is  always  applied  to  trivial  ar¬ 
guments,  we  can  pass  the  arguments  as  they  are,  and  that  if  a  function  may  be 
applied  to  a  serious  argument,  then  all  arguments  are  computed  with  a  contin¬ 
uation.  By  analogy  with  the  fact  that  evaluating  a  trivial  expression  must  yield 
a  value,  we  refer  to  the  former  A-abstractions  as  “call-by-value  functions”  and 
to  the  latter  as  “call-by-name  functions”.  So  let  us  consider  the  four  cases  of 
A-abstractions: 

1.  trivial  call-by-value  functions  ( * .  e . ,  A-abstractions  whose  bodies  are  trivial 
and  that  are  applied  to  trivial  arguments); 

2.  trivial  call-by-name  functions  (i.e.,  A-abstractions  whose  bodies  are  trivial 
and  that  are  applied  to  serious  arguments); 

3.  serious  call-by-value  functions  (i.e.,  A-abstractions  whose  bodies  are  serious 
and  that  are  applied  to  trivial  arguments); 

4.  serious  call-by-name  functions  (i.e.,  A-abstraction  whose  bodies  are  serious 
and  that  are  applied  to  serious  arguments). 

Correspondingly,  a  variable  declared  in  a  call-by- value  (resp.  call-by-name)  func¬ 
tion  is  a  trivial  (resp.  serious)  expression. 

In  the  following  section,  we  describe  how  to  annotate  A-abstractions  and 
applications  to  account  for  theiT  triviality  and  their  seriousness,  and  for  their 
mode  of  parameter  passing. 

5  Annotating  the  Representation  of  a  Direct-Style 
Definition 

Figure  7  presents  the  syntax  of  the  annotated  A-calculus.  Essentially,  we  in¬ 
troduce  the  explicit  infix  notation  in  applications,  and  we  tag  the  constructs 
and  types  that  depart  from  standard  call-by-name.7 

Constructs  and  types  associated  with  trivial  functions  are  annotated  wfith 
“1”.  Constructs  and  types  associated  with  call-by-value  are  annotated  with  uv” . 
Constructs  and  types  associated  with  both  are  annotated  with  “fo”.  For  exam¬ 
ple,  A tvX.e  denotes  a  call-by-value  trivial  A-abstraction.  y  is  a  variable  declared 
in  a  call-by-name  A-abstraction.  zv  is  a  variable  declared  in  a  call-by-value  A- 
abstraction.  eo  @  ei  denotes  the  application  of  a  call-by-name  serious  function  to 
an  argument.  e'0  @t  e[  denotes  the  application  of  a  call-by-name  trivial  function 
to  an  argument. 

We  also  use  the  annotations  trivial  and  serious  to  tag  trivial  and  serious 
expressions.  The  annotation  tags  form  a  partially  ordered  set  ( AnnTag ,  C)  where 

7  This  follows  the  spirit  of  the  diacritical  convention:  only  the  terms  whose  meaning 
is  farthest  to  the  original  meaning  (i.e.,  call-by-name)  are  annotated  [16,  31]. 
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(  €  Ann-X-exp  a  £  Ann-X-abs  r  €  6-rule 

e  ::=  i«  |  *  |  a  |  eo  «i  |  «o  @v  f  1  |  <o  @<  «i  I  fo@fi 

|  if  <1  then  ej  eke  f3  |  let  i  =  e0  in  e  1  |  letrec  i  =  a  in  c  |  r 
a  ::=Xmi\r.e  |  Xvi  :  r.e  |  Xti  :  r.e  |  Xi  :  r.e 
r::=op0  |  opj  e  |  op2  e  1 12  |  ... 

r  £  AnnType 

r  ::=  t  |  To  — *«,  n  |  ro  — n  |  ro  — »t  n  |  ro  — »  n 

a  €  AnnTag 
a  ::=  trivial  j  serious 


Fig.  7.  Abstract  syntax  for  the  annotated  typed  A-calculus 


trivial  C  serious.  They  will  contribute  to  characterizing  reduction  properties  of 
individual  terms. 

Figure  8  presents  type-annotation  rules  for  the  annotated  A-calculus.  Each 
term  is  associated  with  a  pair  (r ,  a).  The  first  component  r  €  AnnType  is  an 
annotated  type.  The  second  component  a  6  AnnTag  indicates  whether  the  term 
is  trivial  or  serious.  T  is  a  set  of  type  assumptions  where  each  element  is  of  the 
form  i  :  r.  For  simplicity,  we  assume  that  all  identifier  names  are  unique,  and 
that  the  algebraic  operators  cannot  diverge. 

The  other  binding  constructs  also  warrant  explanation.  In  the  let  construct, 
the  actual  parameter  ej  may  be  either  trivial  or  serious.  However,  due  to  the  ea¬ 
ger  evaluation  of  ej,  i  always  binds  to  a  value  and  thus  is  annotated  as  trivial.  Of 
course,  binding  may  not  occur  at  all  due  to  the  diverging  evaluation  of  a  serious 
ei.  This  is  captured  by  the  fact  that  a  serious  e\  causes  the  entire  construct  to 
be  classified  as  serious.  In  the  letrec  construct,  the  declared  identifier  /  always 
binds  to  a  A-abstraction  and  is  thus  annotated  as  trivial. 

Note  that  there  is  redundancy  in  the  given  annotation  scheme.  In  partic¬ 
ular,  annotation  pairs  (r,  a)  are  sufficient  for  our  purposes.8  Annotations  on 
terms  have  been  included  to  simplify  the  presentation  of  the  transformation  into 
continuation  style  in  Section  5.2. 

5.1  Correct  assignment  of  annotations 

To  formalize  the  correctness  of  the  annotation  rules,  let  us  introduce  the  following 
notation.  l|n  and  !!•„  respectively  denote  the  relations  defined  by  a  call-by-name 

8  The  annotation  scheme  can  also  be  phrased  more  elegantly  in  terms  of  Moggi’s 
computational  metalanguage  [17]  —  serious  terms  are  typed  as  computations,  trivial 
terms  are  typed  as  values.  This  point  is  developed  elsewhere  [10,  11], 


Identifiers: 


fU{i:  r }  Ha  i :  (r ,  serious) 


r  U  {iv  r}  Ha  iv  :  (r  ,  trivial) 


Primitive  Operators: 


r  Ha  op0  :  (/ ,  trivial) 


r  ha  ei  :  (t,  a  ) 
r  I" a  opj  e\  :  (t ,  a  ) 


r  \-ae  i  :  (t ,  o»] )  T  H 

n-a  op2eie2  :(i,aiU#j) 


Conditional: 

f  Ha  ei  :  (t ,  a?i  )  f  Ha  e2  :  (r  ,  g2  )  .T  Ha  63  :  (r  ,  03  ) 
r  Ha  if  ej  then  e2  else  63  :  (r ,  ai  U  ar2  U  0-3  ) 


Eager  Binding: 

r  H0  ep  :  (r0  ,  ap  )  f  U  {t'„  :  ro}  Ha  e\  :  (ri ,  ai  ) 


r  Ha  let  i  =  eo  in  e\  :  (n  ,«oU#i) 

Recursive  Binding: 

I’Ll  {i„  :  r0)  Ha  a  :  (ro  ,  trivial) 

r  U  {iv  :  ro)  Ha  e  :  (n  ,  a ) 

r  Ha  letrec  i  =  a  in  e  :  (n  ,  a  ) 

Abstractions: 

f  U  {i  :  r0}  ha  e  :  (n  ,  trivial) 

r  U  {i  :  r0}  Ha  e  :  (n  ,  serious) 

r  Ha  A,i  :  To.e  :  (ro  — *»  ri  ,  trivial) 

r  Ha  Ai  :  r0.e  :  (r0  — ►  n  ,  trivial) 

P  U  {i„  :  r0)  Ha  e  :  (n  ,  trivial) 

F  U  (iv  :  ro}  Ha  e  :  (n  ,  serious) 

F  Ha  A(„i :  ro-e  :  (ro  — ►  *,  ri  ,  trivial) 

P  Ha  A„i  :  ro.e  :  (r0  — ►  „  n  ,  trivial) 

Applications: 

r  Ha  e0  :  (r0  —tv  n  ,  or ) 

f  Ha  ei  :  (ro  ,  trivial) 

r  Ha  e0@iv  Cl  :  (n  ,  a) 

r  Ha  e0  :  (r0  — t  n  ,  ct ) 

f  Ha  e  1  :  (ro  ,  serious ) 

r  Ha  e0  ®t  d  :  (n  1  0  ) 

r  Ha  e0  :  (r0  — *  T\  ,  0  ) 

r  Ha  ei  :  (ro  ,  trivial) 

r  ha  co  cj  : 

(n  ,  serious) 

r  H0  e0  :  (ro  —  n  ,  a  ) 

r  Ha  e  1  :  (ro  ,  serious) 

THa  eo@ei  : 

(n  ,  serious) 

Generalization: 

r  H„  e  :  (r 

■ ,  trivial) 

r Ha  e  :  (r 

,  serious ) 

Fig.  8.  Type-checking  rules  for  the  annotated  A-calculus 


and  call-by- value  operational  semantics  for  the  non-annotated  A-calculus  (A -exp) 
of  Figure  6.  For  either  reduction  relation,  e  1)  v  (read  “e  halts  at  value  t>” )  denotes 
the  reduction  of  some  type-correct  closed  term  e  £  A -exp  to  a  value  v  (t.e.,  a 
constant  or  a  A-abstraction).  Similarly,  e  -I)  (read  “e  halts”)  denotes  the  reduction 
of  some  type-correct  closed  term  e  to  an  unspecified  value. 

Let  A  :  A -exp  — ►  Ann-X-exp  denote  an  annotation-assigning  function.  A  is 
cor  ddered  to  be  correct  if  and  only  if  it  satisfies  both  of  the  following  properties. 

Property  1  (Soundness)  An  annotation  function  A  is  sound  iff  for  all  type- 
correct  closed  terms  e  £  A -exp,  A[e]  =  e'  :  (r ,  trivial)  implies  e  !].„  —  that  is, 
the  evaluation  of  e  terminates  under  call-by-name  reduction. 

Property  2  (Consistency)  An  annotation  function  A  is  consistent  iff  for  all 
type-correct  closed  terms  e  £  A -exp,  Afe]  =  e'  :  (r ,  a)  implies  h  a  e'  :  (r ,  a). 

The  process  of  assigning  annotations  can  be  automated  using  the  techniques 
of  abstract  interpretation  or  of  type  inference.  The  abstract  interpretation  ap¬ 
proach  is  summarized  as  follows.  As  a  first  step,  the  application  sites  of  each 
abstraction  are  enumerated  using  a  control-flow  analysis  [30].  The  enumera¬ 
tion  of  application  sites  allows  a  straightforward  generalization  of  Mycroft’s  t> 
termination  analysis  to  our  higher-order  language  [20].  The  correctness  of  the 
termination  analysis  establishes  the  required  soundness  property  (Property  1). 
Based  on  the  results  of  the  termination  analysis,  terms  are  assigned  annotations 
via  our  type-annotation  rules  of  Figure  8.  At  this  step,  the  Generalization  rule  of 
Figure  8  needs  to  be  used  to  establish  the  consistency  requirement  (Property  2). 
For  example,  if  an  abstraction  is  applied  to  both  trivial  and  serious  arguments, 
all  trivial  arguments  are  generalized  to  serious  terms. 

Note  that  the  Generalization  rule  may  lead  to  more  than  one  correct  assign¬ 
ment  of  annotations  to  a  particular  term.  However,  no  semantic  ambiguity  results 
since  the  transformation  Ca  is  correct  for  all  correct  annotation  assignments  A 
(see  Proposition  3). 

5.2  A  transformation  for  the  annotated  A-calculus 

Figure  9  displays  the  extend  «i  transformation  into  continuation  style.  The  trans¬ 
formation  Ca[J  is  used  over  both  serious  and  trivial  terms  and  dispatches  to 
either  Ca(  )  or 

—  Ca(-)  transforms  trivial  terms.  No  continuations  are  introduced  in  the  trans¬ 
formed  terms. 

—  transforms  serious  terms.  Continuations  are  introduced  in  each  trans¬ 
formed  term. 

Figure  9  displays  the  transformation  Ca  on  types  as  well.  (Ja  is  extended  to 
type  assumptions  by  defining 

Ca[{...,z :  r,  :  r',...}]  =  {...,i :  . i'  :  Ca(r'),...} 

The  following  proposition  states  the  relationship  between  the  types  of  anno¬ 
tated  terms  and  the  types  of  terms  in  the  image  of  Ca. 


General  Transformation:  .  .  . 

C*le:(T,  o)J  :  C.W 
C>[e  :  (r,  trivia/)]  =  Ak.ic  C»{e) 
C»fe  :  (r ,  serious)]  =  C»fleJ 


Trivial  Terms: 


C»(e  :  (r  ,  trivia/)) 
C.(i.) 
Ci(oPo) 
C»(opi  ei) 

C»(op2  ei  62) 

C»(i/  eo  then  <1  else  ei) 
Ct(let  t  =  eo  in  ei) 
Ch(letrec  t  =  a  in  e) 
:  r.e) 
Ci(\ti  ■■  r.e) 
C*(A„i :  r.e) 
C»(Ai  :  r.e) 
Ch(e 0  ei) 

C»(eo  @t  ej) 


:  C.(r> 

=  i 
=  oPo 

=  op,  C»(ei) 

=  ops  C»{ei)C»(e2) 

=  if  C»(e 0)  then  Ci(ei)  elseC^{ei) 
=  let  i  =  C»(e 0)  in  C»(ei) 

=  /etrec  i  =  C»(a)  in  C»(e) 

=  Ai  :  C»(r).C»(e) 

=  A*  :  C4r>.C»{e) 

«  Ai  :  C.(r).C»(e) 

=  Ai  : 

=  C»(eo)  C»(ei) 

=  C»(eo)C»GeiJ 


Serious  Terms: 

C,.([e  :  (r ,  serious)])  :  C»flrJ 
=  i 

Ci^opj  eij  =  Aie.C»[ei](Avi./c(op,  vi)) 

C»<[op2  ei  e2J  =  AK.C»[ei](Avi.C,Ie2](Av2  <e(op2  v,  v2))) 

C*t[if  eo  then  ei  else  e2^  =  A«.Ca[eo]  (Avo .if  t’o  then  Ca[ei]  k  else  C»[e 2]  k) 
C»fl/eti  =  eo  in  eij  =  A*.C»[eo]  (Ai.C.feiJ  k) 

C»^/etrec  i  =  a  in  ej  =  A K.letrec  i  =  Ca  (a)  in  C»[e]/c 
Ca4eo@weiJ  =  A/t.C»[eo](At'o.K(voC»(ei))) 

C»^eo@ieiJ  =  AK.C4[eo](Avo.K(voC»^e1J)) 

C»^e0  @v  eij  =  A«.Ca[eo]  (Av0.(«o  C»(ei))  k) 

C»4eo@ei}  =  AK.Ca[eo](Avo.(v0C»4ei$)K) 


Types: 

CJr]  =  Ca(r& 

C»{rJ  =  (Ca(r)  — ►  Ans)  — *  .An* 
C»(i)  =  * 


C*(r0 -*to  rs)  =  Ca{r0)  —  C»{ri) 

C*(ro — -v  ri)  =  C&{ro)  * 

C»(r0—  in)  =  C»4r0)  — >•  C»(n) 
C»{ro— *n)  =  Ca<[roJ  — ► 


Fig.  9.  Transformation  of  annotated  A- terms  into  continuation  style 


Proposition  2. 

-  If  r  ha  e  :  (r ,  a )  then  Ca[E]  b  Ca[e)  :  Ca[rJ  . 

-  //  T  h0  e  :  (r  ,  serious)  then  Ca[f]  h  CB(e)  :  • 

-  If  T  h0  c  :  (t  ,  trivial)  then  Cal/1]  h  Ca(e)  :  Ca(r)  . 

The  correctness  of  C&  is  stated  as  follows.  (The  notation  “e  ij-n  r”  is  defined  in 
Section  5.1.) 

Propositions.  For  all  type-correct  closed  terms  e  of  base  type  and  for  all  correct 
annotation- assigning  functions  A, 

el) n  r  ■$=>  (Ca  O  -4[e])(Ai  :  i.i)  l)n  r  <=>  (Ca  o  -4|e|)(  Ai  :  t.i)  ))„  r 

Proof.  See  [10]. 

5.3  Assessment 

Restricting  the  new  transformation  C&  (see  Figure  9)  to  call-by-name  serious  A- 
terms  yields  the  call- by-name  transformation  into  continuation  style  (see  Figure 
2).  Conversely,  restricting  Ca  to  call-by-value  trivial  A-terms  yields  the  identity 
transformation  —  no  continuations  are  needed  at  all  ( e.g the  denotational  se¬ 
mantics  of  a  strongly-normalizing  language  or  of  the  language  of  Figure  3  without 
the  “while”  statement).  Thus,  Ca  generalizes  both  the  call-by-name  transforma¬ 
tion  into  continuation  style  and  the  identity  transformation. 

6  Some  Properties  of  the  Direct-Style  Definition  of  the 
Simple  Imperative  Language  (Figure  4) 

Property  3  Z  [Program],  C[Command],  and  £  [Expression]  are  trivial  and  call- 
by-value. 

Pmof.  Each  is  call-by-value  because  it  is  not  possible  for  an  argument  expression 
of  type  Env  to  diverge.  Each  is  trivial  because  a  A-abstraction  (a  value)  is  always 
returned. 

Property  4  The  function  type  Com  is  call-by-value  and  serious. 

Proof.  Due  to  the  eager  binding  of  the  let  construct,  each  command  is  passed 
a  reduced  store  value.  Therefore,  the  function  type  can  be  classified  as  call-by- 
value.  Commands  are  serious  because  looping  may  occur  in  the  while  construct 
(this  was  accounted  for  by  the  lifting  of  the  codomain  of  Com). 

Property  5  The  function  type  Exp  is  call-by-value  and  trivial. 

Proof.  Due  to  call-by-value  property  of  commands,  each  expression  is  passed 
a  reduced  store  value.  Therefore,  the  function  type  can  be  classified  as  call-by- 
value.  No  expression  contains  components  which  may  loop.  Therefore  expressions 
are  trivial. 
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Property  6  Proc  and  Fun  art  call-by-value  and  trivial. 

Proof.  The  arguments  to  procedures  and  functions  originate  from  the  evaluation 
of  expressions  which  can  never  loop.  Therefore,  the  function  spaces  are  classified 
as  call-by-value.  They  are  trivial  because  they  both  return  A-abstractions. 

Figure  10  presents  an  annotated  representation  of  the  direct  semantics  of 
Figure  4. 9  Any  reasonable  implementation  of  A  as  outlined  in  Section  5.1  would 
assign  such  annotations  automatically.  Let  us  now  transform  the  annotated  terms 
into  continuation  style. 

7  Transforming  the  Representation  of  a  Direct-Style 
Definition 

Fact  1  Transforming  the  annotated  X-representation  of  the  direct  semantics  in 
Figure  10  into  continuation  style  does  yield  the  X-representation  of  the  continu¬ 
ation  semantics  in  Figure  5,  after  administrative  reductions. 

Further,  we  now  have  the  ability  to  specify  any  kind  of  continuation  seman¬ 
tics.  For  example,  we  could  classify  Exp  to  be  serious  (this  would  happen  if  recur¬ 
sive  functions  were  allowed  in  the  simple  imperative  language).  This  classification 
suffices  to  construct  a  continuation  semantics  where  the  valuation  functions  for 
both  commands  and  expressions  are  in  continuation  style,  automatically. 


8  Conclusion,  Issues,  and  Future  Work 

We  have  tried  to  contribute  to  the  study  of  the  relation  between  direct  and 
continuation  semantics  [26]  by  connecting  it  to  the  transformation  of  A-terms 
into  continuation  style.  To  this  end,  we  have  described  how  to  construct  the 
representation  of  a  realistic  continuat  ion  semantics  automatically,  given  the  rep¬ 
resentation  of  a  direct  antics.  (Again,  by  “realistic”,  we  mean  “that  could 

have  been  written  by  The  situation  is  summarized  by  the  diagram  below. 

DS  semantics  =  CS  semantics 


t  c  o  A  y 

DS  A-terms - - - ►CS  A-terms 


9  Note  that  non-termination  —  represented  explicitly  via  lifting  ( e.g .,  Stores.)  in  the 
semantics  definition  of  Figure  4  —  is  captured  implicitly  in  the  reduction  properties 
of  terms  in  Figure  10.  This  was  accounted  for  in  Property  4:  Com  has  a  serious 
function  type. 


Valuation  Functions: 

Semantic  Domains: 

■ZJProgram] 

Env  — »»  Com 

Com  =  Store  — Store 

^[Command] 

Env  — »*  Com 

Exp  =  Store— Nat 

^[Expression] 

Env  — >»,  Exp 

Proc  =  Nat  — •*,  Com 

A/[Numeral] 

Nat 

Fun  —  Nat —>tu  Exp 

£[Location] 

Loc 

Programs: 

Z[ptocp(m)  —  cin  *]  =  \*,p.\v<r.Z[z}&w  (ext  pv  p  (Afcj.C[c]@fc  (ext  p„  m  i„)))  @v  <rv 
2 [fun  /  (m)  =  ein  *]  =  A^p-Avir.-ZJ*]®#,  (ext  pv  f  (Afct.£[e]@B,  (ext  p„  m  iv)))  <r„ 

2[c.]  —  A|dP.Ati(T.^[cJ@iv  Pv  @v  <T» 

Commands: 

C[skip]  =  Xtvp.Xyir.Ov 

C[cx  ;  C2I  =  Afcp.Avff./etu  <r'  =  C[ciJ@a,  p«  <r„  in  £[02]®*,  p„  @»  <r'v 
C[l  :=  e]  =  Afcp.Avcr.upd  <r„  £[/]  (f[e]  @n,  p,,  @fc  <r„) 

C[if  e  then  ci  else  c2]  =  Afcp.Av<r.  1/  iszero?  (£[«]  @n>  pu  ©*,  <rv) 

then  (C[ci]  @iv  p„  @„  orv) 
else  (C[ci]  @t«  pv@v  <r„ ) 

C[while  e  do  c]  =  Xtvp-Xvo.  letrecv  ti>  =  A„o.  if  iszero?  (£[e]@fc  p„  @fc  «rv) 

then  letv  a'  =  Cfc]®*,  pv  @„  ov 
in  wv  o'v 
else  <j v 

in  wv  @v  <Tv 

C[call  p  (e)J  =  Afcp.Av(7.(Iookup  pv  p)  @tv  (£[e]@fc  p„  @n,  < rv)  @«  <t„ 
Expressions: 

£[n]  =  Afcp.Ah,<r.JV'[n] 

£[to]  =  A  fcp  .Afc£7.lookup  pv  m 
£[succe]  =  Afcp.Afccr.succ  (£[ej@r„  pv@ tv  crv) 

£[prede]  =  Afcp.Afccr.pred  (£[e]®tv  Pv  @ib  <tv) 

£[deref/]  =  Afcp.AfcO-.fetch  <rv  £[l] 

£[apply  /(e)]  =  Ai„p.Ae„c7.(lookup  p„  /)  @fc  (£[e]@h,  p„  @w  <xv)@tv 


Fig.  10.  Annotated  representation  of  the  direct  semantics  in  Figure  4 
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Based  on  the  annotations  produced  by  A ,  the  transformation  Ca  introduces 
just  enough  continuations  to  preserve  call-by-name  meaning  under  both  call-by¬ 
name  and  call-by-value  reduction.  Ca  generalizes  both  the  call-by-name  continua¬ 
tion  transformation  (should  all  terms  be  serious)  and  the  identity  transformation 
(should  all  terms  be  trivial). 


8.1  A  shortcoming? 

One  might  criticize  one  shortcoming  of  this  approach:  it  only  produces  the  rep¬ 
resentation  of  a  continuation  semantics,  not  the  continuation  semantics  itself. 
One  answer  to  this  criticism  goes  as  follows. 

Why  would  one  want  a  continuation  semantics  when  one  already  has  a  brave 
and  honest  direct  semantics?10  Not  for  the  love  of  mathematics  alone,  but  for 
implementation  purposes  [16,  18]!  But  then  one  does  not  need  the  continuation 
semantics,  but  its  representation  —  which  is  precisely  what  our  new  transfor¬ 
mation  produces  automatically.  Therefore  our  approach  enables  the  language 
developer  to  stay  with  one  mathematical  model  —  the  direct  semantics  —  and 
to  derive  the  continuation  semantics  as  part  of  the  implementation  work. 


8.2  An  alternative? 

One  could  transform  the  direct  semantics  into  continuation  style  and  then  sim¬ 
plify  the  result  into  a  manageable  continuation  semantics.  We  believe  that  our 
approach  is  more  natural  since  most  of  the  work  operates  over  the  original  di¬ 
rect  semantics  and  the  rest  is  automatic.  (A  worthwhile  property  considering 
how  counter-intuitive  continuation-style  specifications  may  look.) 


8.3  Applications 

Semantics-directed  compiler-generation  systems  often  work  on  continuation  se¬ 
mantics  [13,  14,  16,  18],  thus  forcing  one  to  write  a  continuation  semantics  and 
to  prove  its  congruence  with  the  direct  one.  Our  new  transformation  allows  one 
to  produce  the  representation  of  a  continuation  semantics  automatically. 

Partial  evaluators  work  better  on  continuation-passing  programs,  but  again 
not  all  continuations  are  always  necessary  [2,  3].  Our  extended  transformation 
into  continuation  style  makes  it  possible  to  reduce  the  occurrences  of  contin¬ 
uations  in  a  source  program.  In  addition,  it  also  enables  partial  evaluation  of 
call-by-name  programs  (after  evaluation-order  analysis  —  be  it  for  strictness  or 
termination)  with  a  regular  partial  evaluator  for  call-by-value  programs. 

10  Of  course,  the  situation  is  different  if  the  source  language  includes  some  form  of 
jump.  But  then  one  has  no  direct  semantics  and  thus  starts  with  a  continuation 
semantics. 


8.4  Variations 

Denotational  definitions  are  written  in  various  fashions.  We  briefly  mention  how 
the  present  work  can  be  adapted  to  other  fashions. 

Partial  functions  are  often  used  in  place  of  total  functions  and  lifted  domains 
when  modeling  non-terminating  computations  [23,  34].  Our  explanation  of  to¬ 
tality  and  partiality  in  terms  of  trivial  and  serious  functions  naturally  applies  to 
denotational  specifications  based  on  partial  functions. 

Strict  functions  are  often  used  to  model  the  strictness  properties  associated 
with  eager  (i.e.,  call-by- value)  functions  [23,  28].  For  simplicity  of  presentation, 
we  have  expressed  strictness  properties  using  let  constructs  only.  Just  as  let 
expressions  are  represented  using  eager  binding  constructs,  strict  functions  are 
represented  using  eager  applications.  Thus,  a  transformation  of  an  annotated 
language  including  both  eager  and  normal-order  application  generalizes  both 
the  call-by-value  and  the  call-by-name  transformation  into  continuation  style. 
We  have  presented  a  formalization  of  such  a  mixed  transformation  elsewhere  [5] . 

Continuation  semantics  of  imperative  languages  often  express  the  meaning  of 
commands  as  “continuation  transformers”  [28,  34] .  Specifically,  the  functionality 
of  Com  is  given  as 

( Store  — ►  Ans)  — *•  Store  — *•  Ans. 

It  is  very  simple  to  specify  a  transformation  into  continuation  style  that  “puts 
continuations  first”,  as  in  Fischer’s  original  transformation  [7,  27].  Such  a  trans¬ 
formation  would  naturally  yield  the  functionality  above. 

Finally,  our  work  has  relied  on  denotational  definitions  being  stated  using  a 
simply-typed  meta-language.  This  meta-language  is  sufficient  for  defining  sim¬ 
ple  imperative  languages  and  simply-typed  languages  such  as  Algol  60,  Pascal, 
and  PCF.  We  are  currently  investigating  how  the  results  presented  here  can  be 
extended  to  a  meta-language  with  recursive  types.  This  would  be  necessary  for 
defining  untyped  languages  such  as  Scheme. 

8.5  Generalization 

The  work  presented  here  can  be  generalized  to  other  styles  than  continuation 
style.  Alternatively,  one  could  define  a  core  meta-language  and  parameterize  it 
with  the  style  of  the  interpretation.  This  approach  is  reminiscent  of  Mosses  and 
Watt’s  Action  Semantics  [19,  35],  of  the  Nielsons’s  two-level  meta-language  [23], 
and  of  Moggi’s  computational  A-calculus  [17].  We  investigate  it  elsewhere  [11]. 

8.6  Transforming  the  representation  of  a  continuation  semantics 
into  direct  style 

The  transformation  from  continuation  style  to  direct  style  has  been  investigated 
recently  [4,  6, 12,  27],  and  enables  one  to  transform  the  representation  of  a  contin¬ 
uation  semantics  into  direct  style.  Of  course,  we  can  only  produce  the  represen¬ 
tation  of  a  direct  semantics  from  a  continuation  semantics  where  continuations 


are  second-class  [31]  —  for  example,  we  could  not  produce  a  direct  semantics  for 
a  language  with  jumps  [32],  not  without  adding  some  kind  of  control  operator 
to  the  A-calculus  [6].  Syntactic  conditions  over  a  continuation-passing  A-term  to 
ensure  that  continuations  are  second-class  can  be  found  elsewhere  [4].  Overall 
we  leave  this  transformation  for  future  work. 

8.7  Continuation  style  and  evaluation- order  independence 

It  is  interesting  to  compare  the  structure  of  the  terms  produced  by  our  trans¬ 
formation  Ca  with  the  structure  of  the  terms  produced  by  e.g.,  Plotkin’s 
continuation-style  transformations  [24].  In  addition  to  satisfying  his  Simulation, 
Indifference,  and  Translation  theorems,  Plotkin’s  continuation-style  terms  have 
two  additional  properties  that  are  often  utilized  for  implementation  purposes: 

—  all  function  calls  are  in  “tail”  position;11 

—  all  intermediate  values  are  given  names. 

In  contrast,  CA  inserts  just  enough  continuations  to  preserve  call-by-name  mean¬ 
ing  under  both  call-by-name  and  call-by-value  reduction.  Thus,  Ca  satisfies 
Plotkin’s  Simulation,  Indifference,  and  Translation  theorems  [10],  but  the  two 
additional  properties  above  are  lost  because  some  applications  may  be  trivial. 

—  Trivial  applications  may  occur  as  function  arguments  —  not  a  “tail”  position. 

—  Trivial  applications  yield  intermediate  values  that  are  not  named  —  since 
trivial  functions  are  not  passed  any  continuation. 

In  other  words,  our  transformation  Ca  does  not.  produce  “Continuation-Passing 
Style”  terms  (!)  but  it  does  produce  terms  that  are  independent  of  the  evaluation 
order. 
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